On Thu, 11 Sep 2014 16:12:40 +0200
Jakub Hrozek <jhro...@redhat.com> wrote:
> On Wed, Sep 10, 2014 at 09:58:27PM +0000, Trevor T Kates (Services -
> 6) wrote:
> > Hi all:
> > I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a
> > bit of a quirky problem. From what I've read thus far, sudo under
> > SSSD can't provide sudo rules for local users that are not part of
> > the directory. To get around this, I've been using the
> > sudo-ldap.conf file to provide sudo with direct access to the
> > directory. This, however, can't make use of service discovery, so
> > if the first server in the ldap_uri list is taken down, sudo delays
> > for the length of the timeout set. My idea for getting around this
> > has been to use sudo in SSSD for users that are in the directory
> > and let sudo-ldap take care of local users with a line in
> > nsswitch.conf like this:
> > sudoers: files sss ldap
> I think this is more of a sudo question and I'm not too familiar with
> the sudo code to answer this question well. I added the sudo Fedora
> maintainer to CC, maybe he has some ideas?
> > My problem now seems to be that the ldap query is still run even if
> > a successful hit is made to sssd. Changing the line in
> > nsswitch.conf to:
> > sudoers: files sss [success=return] ldap
Yes, the "sudoers:" line is parsed by sudo and sudo does support the
[SUCCESS=return] option. However, this applies only to queries for sudo
Is the LDAP query you're talking about a query for sudo rules or for
users/groups? Sources for the user and groups dbs are not handled by
sudo. Sudo just uses the usual glibc calls and they may result in
queries to ldap and sss too.
> I don't think [success=return] will work here. Despite sudoers being
> configured in nsswitch.conf, it's not actually a NSS map handled by
> glibc. sudo itself parses the file..
> > doesn't seem to actually work.
> > Does anyone have pointers on how I can resolve this particular
> > problem?
> > Thanks!
> > Trevor T. Kates
> > CONFIDENTIALITY NOTICE: This electronic message contains
> > information which may be legally confidential and or privileged and
> > does not in any case represent a firm ENERGY COMMODITY bid or offer
> > relating thereto which binds the sender without an additional
> > express written confirmation to that effect. The information is
> > intended solely for the individual or entity named above and access
> > by anyone else is unauthorized. If you are not the intended
> > recipient, any disclosure, copying, distribution, or use of the
> > contents of this information is prohibited and may be unlawful. If
> > you have received this electronic transmission in error, please
> > reply immediately to the sender that you have received the message
> > in error, and delete it. Thank you.
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project