On Tue, 14 Apr 2015, Martin Kosek wrote:
On 04/13/2015 05:37 PM, Alexander Bokovoy wrote:
On Mon, 13 Apr 2015, Gould, Joshua wrote:
I’ve looked at the docs and it looks as if I can specify an external
user who can have sudo rights via IPA.
The issue being that when I try to add my AD Trust user, it doesn’t
allow the @ sign. (ex. firstname.lastname@example.org).
If I modify the sudo rule to allow all users, I can see that it allows
my AD account sudo rights.
$ sudo –l
User email@example.com may run the following commands on this host:
(ALL : ALL) ALL
How can I configure the rule to allow certain AD users to be able to
execute certain sudo rules?
Through external users' groups mechanism we use for any other AD users
mapping in HBAC and SUDO. These are not local (not defined in IPA but
defined on the host) groups and users but rather AD groups and users.
ipa group-add --external gould_group_ext
ipa group-add-member gould_group_ext --firstname.lastname@example.org
ipa group-add gould_group
ipa group-add-member gould_group --groups=gould_group_ext
And now make sudo rule that allows users of gould_group to run needed
commands. SSSD will pull in all membership information for gould_group,
including AD users.
Theoretically, adding AD users as *external* users to the SUDO rule should
work, given they are stored as a bare string, no? See example of such rule
# ipa sudorule-show test --all --raw
The change in FreeIPA would be then only a matter of allowing users with '@' in
You lose validation of the user name here (we do validate that AD user
in question exists). And externaluser* options are deprecated.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project