On Sun, Jan 31, 2016 at 09:58:40PM +0100, Michael Ströder wrote: > Jakub Hrozek wrote: > > the sssd's code that fetches sudo rules from the IPA server got an > > overhaul recently. The search would no longer be performed against the > > compat tree, but against IPA's native LDAP tree. This would have the > > advantage that environments that don't use the slapi-nis' compat tree > > for another reason (like old or non-Linux clients) would no longer > > require slapi-nis to be running at all. > > Frankly I don't understand this text. Especially I don't know what the terms > "compat tree" and "IPA's native LDAP tree" really mean.
I'm sorry, I will try to rephrase. If you add sudo rules to an IPA server using the "ipa sudorule" commands, the LDAP objects are added to cn=sudorules,cn=sudo,$DC tree in using a schema that is specific to IPA. The rule might look like this one on my test server: dn: ipaUniqueID=c4bba598-9f5b-11e5-8750-525400676811,cn=sudorules,cn=sudo,dc=ipa,dc=test cn: readfiles ipaenabledflag: TRUE externaluser: jsmith ipaUniqueID: c4bba598-9f5b-11e5-8750-525400676811 memberallowcmd: ipaUniqueID=cb15fdc6-9f5b-11e5-b9f5-525400676811,cn=sudocmds,cn=sudo,dc=ipa,dc=test objectClass: ipasudorule objectClass: ipaassociation However, the client side (both the LDAP connector that is built-in to sudo itself and the SSSD) only understood the schema as defined by http://linux.die.net/man/5/sudoers.ldap Therefore, there is a another subtree on the IPA server, rooted at ou=sudoers,$DC. This subtree is often called the 'compat' tree, because in was built with non-SSSD clients in mind. The objects are put into the compat tree by the slapi-nis Directory Server plugin. The rule above would be converted to: dn: cn=readfiles,ou=sudoers,dc=ipa,dc=test sudoUser: jsmith objectClass: sudoRole objectClass: top sudoCommand: /usr/bin/less cn: readfiles However, this auto-generation does not come for free and in some environments, the slapi-nis plugin was causing substantial load on the server side. So we added code to the sssd's ipa_provider to handle the objects stored at cn=sudorules,cn=sudo,$DC so that the slapi-nis plugin can be disabled. The functionality of the ipa's sudo_provider should stay the same, it's just that it's now able to process a different schema and this change allows the admin to disable the slapi-nis plugin (unless they need another piece of its functionality, which is translating the user and group objects into rfc2307 schema for legacy clients..) > > Does this only affect the IPA provider? Yes. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project