During our evaluation phase we're facing following problem. One particular user 
were granted sudo permission with the help of a sudo rule. The user can 
successfully access the host via SSH and switched to user root by using the 
sudo command, which was enabled for the user with the sudo rule. After that the 
sudo rule was disabled and the user tried to login again and switching to root 
was still possible.

After deleting the SSSD cache files and restarting the service sudo did not 
work anymore, as excepted.

How long does it take until the sudo rules are refreshed in SSSD cache? I know 
that there are three different refresh mechanism (full, smart, rule). Full and 
smart refresh mechanism are performed periodically dependent on the settings in 
SSSD configuration file and rule method should refresh the users's specific 
rules after each login, what apparently was not the case for my test scenario. 
Please correct me if i'm wrong. Of course I can set the interval for smart 
refresh to a minimum of 10 seconds, but this would cause a lot of traffic.

How can I configure SSSD to update the rules during each login of the user?

Following components are used:
- FreeIPA server freeipa-server.x86_64 3.3.2-1.fc19
- FreeIPA client on CentosOS ipa-client.x86_64 3.0.0-26.el6_4.4
- SSSD sudo integration

--- /etc/sssd/sssd.conf ---

debug_level = 0xFFF0
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.info
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = chef01.example.info
chpass_provider = ipa
ipa_server = _srv_, ipa01.example.info
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://ipa01.example.info
ldap_sudo_search_base = ou=sudoers,dc=example,dc=info
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/chef01.example.info
ldap_sasl_realm = EXAMPLE.INFO
krb5_server = ipa01.example.info

debug_level = 0x0400
services = nss, pam, ssh, sudo
config_file_version = 2
domains = example.info
debug_level = 0xFFF0

--- /etc/sssd/sssd.conf ---

I tested the test scenario with very small intervals and the rules were 
properly updated.

ldap_sudo_full_refresh_interval = 30
ldap_sudo_smart_refresh_interval = 15

Is this a proper solution or can configure SSSD in a way that rules were 
updated during each uses's login?

I appreciate any help and thanking you in advance.


Freeipa-users mailing list

Reply via email to