On 04/13/2015 05:37 PM, Alexander Bokovoy wrote:
> On Mon, 13 Apr 2015, Gould, Joshua wrote:
>> I’ve looked at the docs and it looks as if I can specify an external
>> user who can have sudo rights via IPA.
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo
>> The issue being that when I try to add my AD Trust user, it doesn’t
>> allow the @ sign. (ex. gould@test.osuwmc).
>> If I modify the sudo rule to allow all users, I can see that it allows
>> my AD account sudo rights.
>> $ sudo –l
>> User gould@test.osuwmc may run the following commands on this host:
>>    (ALL : ALL) ALL
>> How can I configure the rule to allow certain AD users to be able to
>> execute certain sudo rules?
> Through external users' groups mechanism we use for any other AD users
> mapping in HBAC and SUDO. These are not local (not defined in IPA but
> defined on the host) groups and users but rather AD groups and users.
> ipa group-add --external gould_group_ext
> ipa group-add-member gould_group_ext --external=gould@test.osuwmc
> ipa group-add gould_group
> ipa group-add-member gould_group --groups=gould_group_ext
> And now make sudo rule that allows users of gould_group to run needed
> commands. SSSD will pull in all membership information for gould_group,
> including AD users.

Theoretically, adding AD users as *external* users to the SUDO rule should
work, given they are stored as a bare string, no? See example of such rule 

# ipa sudorule-show test --all --raw
  cn: test
  ipaenabledflag: TRUE
  hostcategory: all
  externaluser: foouser
  ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33
  objectClass: ipasudorule
  objectClass: ipaassociation

The change in FreeIPA would be then only a matter of allowing users with '@' in
'externaluser' attribute

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to