On Tue, 14 Apr 2015, Martin Kosek wrote:
On 04/13/2015 05:37 PM, Alexander Bokovoy wrote:
On Mon, 13 Apr 2015, Gould, Joshua wrote:
I’ve looked at the docs and it looks as if I can specify an external
user who can have sudo rights via IPA.


The issue being that when I try to add my AD Trust user, it doesn’t
allow the @ sign. (ex. gould@test.osuwmc).

If I modify the sudo rule to allow all users, I can see that it allows
my AD account sudo rights.

$ sudo –l

User gould@test.osuwmc may run the following commands on this host:
   (ALL : ALL) ALL

How can I configure the rule to allow certain AD users to be able to
execute certain sudo rules?
Through external users' groups mechanism we use for any other AD users
mapping in HBAC and SUDO. These are not local (not defined in IPA but
defined on the host) groups and users but rather AD groups and users.

ipa group-add --external gould_group_ext
ipa group-add-member gould_group_ext --external=gould@test.osuwmc
ipa group-add gould_group
ipa group-add-member gould_group --groups=gould_group_ext

And now make sudo rule that allows users of gould_group to run needed
commands. SSSD will pull in all membership information for gould_group,
including AD users.

Theoretically, adding AD users as *external* users to the SUDO rule should
work, given they are stored as a bare string, no? See example of such rule 

# ipa sudorule-show test --all --raw
 cn: test
 ipaenabledflag: TRUE
 hostcategory: all
 externaluser: foouser
 ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33
 objectClass: ipasudorule
 objectClass: ipaassociation

The change in FreeIPA would be then only a matter of allowing users with '@' in
'externaluser' attribute
You lose validation of the user name here (we do validate that AD user
in question exists). And externaluser* options are deprecated.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to