On 02/08/2017 04:03 PM, Nathanaël Blanchet wrote:

Le 08/02/2017 à 13:00, Pavel Březina a écrit :
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
on latest IPA, when adding a command to a rule or a sudo option for
example, the change is not active on the user session.
For example, after removing !authenticate option, I still can execute
sudo commands without password.
I tried to logout and relogin, but nothing changes, but on a new vm
where never logeed in before it wroks.
Is there a cache or somting to do so as to commands to be immediatly

sudo rules are cache on the client and refresh happens periodically.
We have several update mechanisms that deals with finding new rules,
deleting non-existent ones and updating expired but it cannot be
performed on desired at the moment. We have a ticket for that [1].
Please see 'man sssd-sudo' to get better understanding how it works.

it's said that sssd-sudo has been created to be near of the local
sudoers functionnment. So I suppose the three described mechanisms are
intended to converge to a near realtime rule change.
It's true that waiting for an undefinied time, rules become available...
but is there an estimated time of availibility? Is it rather 15min or
one hour (I suppose beyond is not usable)
It is possible to expired cached rules with sss_cache. This won't find
you newly added rules but it will fetch updated rules and removed
deleted ones.

[1] https://fedorahosted.org/sssd/ticket/2884

Depending on how often does your environment change, you can adjust sudo rules updates with following options:

- entry_cache_sudo_timeout -- how long is the cache ruled valid, when the timeout is exceeded the rule is updated from ldap

- ldap_sudo_smart_refresh_interval -- periodical update that fetches newly added or modified rules from the last lookup (uses modifyTimestamp/entryUSN operational attribute to do so)

- ldap_sudo_full_refresh_interval -- periodical update that simply deletes current cached rules and downloads those stored in ldap

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to