Le 08/02/2017 à 13:00, Pavel Březina a écrit :
it's said that sssd-sudo has been created to be near of the local
sudoers functionnment. So I suppose the three described mechanisms are
intended to converge to a near realtime rule change.
It's true that waiting for an undefinied time, rules become available...
but is there an estimated time of availibility? Is it rather 15min or
one hour (I suppose beyond is not usable)
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
on latest IPA, when adding a command to a rule or a sudo option for
example, the change is not active on the user session.
For example, after removing !authenticate option, I still can execute
sudo commands without password.
I tried to logout and relogin, but nothing changes, but on a new vm
where never logeed in before it wroks.
Is there a cache or somting to do so as to commands to be immediatly
sudo rules are cache on the client and refresh happens periodically.
We have several update mechanisms that deals with finding new rules,
deleting non-existent ones and updating expired but it cannot be
performed on desired at the moment. We have a ticket for that .
Please see 'man sssd-sudo' to get better understanding how it works.
It is possible to expired cached rules with sss_cache. This won't find
you newly added rules but it will fetch updated rules and removed
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project