On Wed, Sep 10, 2014 at 09:58:27PM +0000, Trevor T Kates (Services - 6) wrote:
> Hi all:
> I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a
> problem. From what I've read thus far, sudo under SSSD can't provide sudo
> for local users that are not part of the directory. To get around this, I've
> using the sudo-ldap.conf file to provide sudo with direct access to the
> This, however, can't make use of service discovery, so if the first server in
> ldap_uri list is taken down, sudo delays for the length of the timeout set. My
> idea for getting around this has been to use sudo in SSSD for users that are
> the directory and let sudo-ldap take care of local users with a line in
> like this:
> sudoers: files sss ldap
I think this is more of a sudo question and I'm not too familiar with
the sudo code to answer this question well. I added the sudo Fedora
maintainer to CC, maybe he has some ideas?
> My problem now seems to be that the ldap query is still run even if a
> successful hit
> is made to sssd. Changing the line in nsswitch.conf to:
> sudoers: files sss [success=return] ldap
I don't think [success=return] will work here. Despite sudoers being
configured in nsswitch.conf, it's not actually a NSS map handled by
glibc. sudo itself parses the file..
> doesn't seem to actually work.
> Does anyone have pointers on how I can resolve this particular problem?
> Trevor T. Kates
> CONFIDENTIALITY NOTICE: This electronic message contains information which
> may be legally confidential and or privileged and does not in any case
> represent a firm ENERGY COMMODITY bid or offer relating thereto which binds
> the sender without an additional express written confirmation to that effect.
> The information is intended solely for the individual or entity named above
> and access by anyone else is unauthorized. If you are not the intended
> recipient, any disclosure, copying, distribution, or use of the contents of
> this information is prohibited and may be unlawful. If you have received
> this electronic transmission in error, please reply immediately to the sender
> that you have received the message in error, and delete it. Thank you.
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project