On Wed, Sep 10, 2014 at 09:58:27PM +0000, Trevor T Kates (Services - 6) wrote:
> Hi all:
> 
> I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a 
> quirky
> problem. From what I've read thus far, sudo under SSSD can't provide sudo  
> rules
> for local users that are not part of the directory. To get around this, I've 
> been
> using the sudo-ldap.conf file to provide sudo with direct access to the 
> directory.
> This, however, can't make use of service discovery, so if the first server in 
> the
> ldap_uri list is taken down, sudo delays for the length of the timeout set. My
> idea for getting around this has been to use sudo in SSSD for users that are 
> in
> the directory and let sudo-ldap take care of local users with a line in 
> nsswitch.conf
> like this:
> 
> sudoers: files sss ldap

I think this is more of a sudo question and I'm not too familiar with
the sudo code to answer this question well. I added the sudo Fedora
maintainer to CC, maybe he has some ideas?

> 
> My problem now seems to be that the ldap query is still run even if a 
> successful hit
> is made to sssd. Changing the line in nsswitch.conf to:
> 
> sudoers: files sss [success=return] ldap

I don't think [success=return] will work here. Despite sudoers being
configured in nsswitch.conf, it's not actually a NSS map handled by
glibc. sudo itself parses the file..

> 
> doesn't seem to actually work.
> 
> Does anyone have pointers on how I can resolve this particular problem?
> 
> Thanks!
> 
> 
> Trevor T. Kates
> 
> 
> 
> 
> CONFIDENTIALITY NOTICE:  This electronic message contains information which 
> may be legally confidential and or privileged and does not in any case 
> represent a firm ENERGY COMMODITY bid or offer relating thereto which binds 
> the sender without an additional express written confirmation to that effect. 
>  The information is intended solely for the individual or entity named above 
> and access by anyone else is unauthorized.  If you are not the intended 
> recipient, any disclosure, copying, distribution, or use of the contents of 
> this information is prohibited and may be unlawful.  If you have received 
> this electronic transmission in error, please reply immediately to the sender 
> that you have received the message in error, and delete it.  Thank you.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to