[Freeipa-users] Wildcard type usage in sudo rules with FreeIPA.
I am trying to figure out how (or if its even possible) to use wildcard type sudo rules in FreeIPA. I setup Sudo rules usage and so far seems to be working - at least if I setup ALL type rules for Hosts. However it looks like I have to add specifc allowed hosts in the GUI as they either appear in the host list or add them in the External option box. However that makes it messy / non scalable if I want to create a group of users that have access to a large number of host types, say db servers or something. File based sudo rules allow for constructs such as: someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh Which allows someuser to have sudo options on any hostname matching *dbserver* and then run the command allowed. This all currently seems doable in IPA except the wildcard part for hostnames / domains etc. Apologizes if I missed this in the docs. Thanks in advance for any ideas (command line methods?) Running: ipa-server-3.0.0-37 sssd-1.9.2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Wildcard type usage in sudo rules with FreeIPA.
Thanks Dmitri! That at least tells me to stop attempting things that are going to not work. I will look into the automember info. Currently I don't think that will work for us since we using IPA essentially as just LDAP and not using the IPA client (but using SSSD on the hosts) and I don't register hosts directly in IPA. We did not really want / need that extra overhead but did like the other integrated components of IPA. Thanks so much for the info. On Thu, Jan 8, 2015 at 10:15 AM, Dmitri Pal d...@redhat.com wrote: On 01/08/2015 10:00 AM, Lance Reed wrote: I am trying to figure out how (or if its even possible) to use wildcard type sudo rules in FreeIPA. I setup Sudo rules usage and so far seems to be working - at least if I setup ALL type rules for Hosts. However it looks like I have to add specifc allowed hosts in the GUI as they either appear in the host list or add them in the External option box. However that makes it messy / non scalable if I want to create a group of users that have access to a large number of host types, say db servers or something. File based sudo rules allow for constructs such as: someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh Which allows someuser to have sudo options on any hostname matching *dbserver* and then run the command allowed. This all currently seems doable in IPA except the wildcard part for hostnames / domains etc. Apologizes if I missed this in the docs. Thanks in advance for any ideas (command line methods?) I think to solve this problem with IPA you need to define sudo rules for a host group dbserver (or whatever name you choose) and then use automemebership [1] rules to automatically manage the membership of you servers in that group. Starting 4.1 automembership rules can be reapplied to already existing entries. [2]. Before that the rules applied only to new entries being created. [1] - http://www.port389.org/docs/389ds/design/automember-design.html (I do not think there is an IPA design page but IPA uses DS plugin) [2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership HTH Thanks Dmitri Running: ipa-server-3.0.0-37 sssd-1.9.2 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Wildcard type usage in sudo rules with FreeIPA.
On 01/08/2015 10:00 AM, Lance Reed wrote: I am trying to figure out how (or if its even possible) to use wildcard type sudo rules in FreeIPA. I setup Sudo rules usage and so far seems to be working - at least if I setup ALL type rules for Hosts. However it looks like I have to add specifc allowed hosts in the GUI as they either appear in the host list or add them in the External option box. However that makes it messy / non scalable if I want to create a group of users that have access to a large number of host types, say db servers or something. File based sudo rules allow for constructs such as: someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh Which allows someuser to have sudo options on any hostname matching *dbserver* and then run the command allowed. This all currently seems doable in IPA except the wildcard part for hostnames / domains etc. Apologizes if I missed this in the docs. Thanks in advance for any ideas (command line methods?) I think to solve this problem with IPA you need to define sudo rules for a host group dbserver (or whatever name you choose) and then use automemebership [1] rules to automatically manage the membership of you servers in that group. Starting 4.1 automembership rules can be reapplied to already existing entries. [2]. Before that the rules applied only to new entries being created. [1] - http://www.port389.org/docs/389ds/design/automember-design.html (I do not think there is an IPA design page but IPA uses DS plugin) [2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership HTH Thanks Dmitri Running: ipa-server-3.0.0-37 sssd-1.9.2 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Wildcard type usage in sudo rules with FreeIPA.
On 01/08/2015 10:42 AM, Lance Reed wrote: Thanks Dmitri! That at least tells me to stop attempting things that are going to not work. I will look into the automember info. Currently I don't think that will work for us since we using IPA essentially as just LDAP and not using the IPA client (but using SSSD on the hosts) and I don't register hosts directly in IPA. We did not really want / need that extra overhead but did like the other integrated components of IPA. SSSD is the client. ipa-client is just a configuration script that configures SSSD. Having a host entry has a lot of benefits for access control and policies. It seems that you sort of a bit force limited yourself with the approach you have taken. Thanks so much for the info. On Thu, Jan 8, 2015 at 10:15 AM, Dmitri Pal d...@redhat.com wrote: On 01/08/2015 10:00 AM, Lance Reed wrote: I am trying to figure out how (or if its even possible) to use wildcard type sudo rules in FreeIPA. I setup Sudo rules usage and so far seems to be working - at least if I setup ALL type rules for Hosts. However it looks like I have to add specifc allowed hosts in the GUI as they either appear in the host list or add them in the External option box. However that makes it messy / non scalable if I want to create a group of users that have access to a large number of host types, say db servers or something. File based sudo rules allow for constructs such as: someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh Which allows someuser to have sudo options on any hostname matching *dbserver* and then run the command allowed. This all currently seems doable in IPA except the wildcard part for hostnames / domains etc. Apologizes if I missed this in the docs. Thanks in advance for any ideas (command line methods?) I think to solve this problem with IPA you need to define sudo rules for a host group dbserver (or whatever name you choose) and then use automemebership [1] rules to automatically manage the membership of you servers in that group. Starting 4.1 automembership rules can be reapplied to already existing entries. [2]. Before that the rules applied only to new entries being created. [1] - http://www.port389.org/docs/389ds/design/automember-design.html (I do not think there is an IPA design page but IPA uses DS plugin) [2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership HTH Thanks Dmitri Running: ipa-server-3.0.0-37 sssd-1.9.2 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
