Hello,
On Thu, 11 Sep 2014 16:12:40 +0200
Jakub Hrozek jhro...@redhat.com wrote:
On Wed, Sep 10, 2014 at 09:58:27PM +, Trevor T Kates (Services -
6) wrote:
Hi all:
I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a
bit of a quirky problem. From what I've read thus far, sudo under
SSSD can't provide sudo rules for local users that are not part of
the directory. To get around this, I've been using the
sudo-ldap.conf file to provide sudo with direct access to the
directory. This, however, can't make use of service discovery, so
if the first server in the ldap_uri list is taken down, sudo delays
for the length of the timeout set. My idea for getting around this
has been to use sudo in SSSD for users that are in the directory
and let sudo-ldap take care of local users with a line in
nsswitch.conf like this:
sudoers: files sss ldap
I think this is more of a sudo question and I'm not too familiar with
the sudo code to answer this question well. I added the sudo Fedora
maintainer to CC, maybe he has some ideas?
My problem now seems to be that the ldap query is still run even if
a successful hit is made to sssd. Changing the line in
nsswitch.conf to:
sudoers: files sss [success=return] ldap
Yes, the sudoers: line is parsed by sudo and sudo does support the
[SUCCESS=return] option. However, this applies only to queries for sudo
rules.
Is the LDAP query you're talking about a query for sudo rules or for
users/groups? Sources for the user and groups dbs are not handled by
sudo. Sudo just uses the usual glibc calls and they may result in
queries to ldap and sss too.
Dan K.
I don't think [success=return] will work here. Despite sudoers being
configured in nsswitch.conf, it's not actually a NSS map handled by
glibc. sudo itself parses the file..
doesn't seem to actually work.
Does anyone have pointers on how I can resolve this particular
problem?
Thanks!
Trevor T. Kates
CONFIDENTIALITY NOTICE: This electronic message contains
information which may be legally confidential and or privileged and
does not in any case represent a firm ENERGY COMMODITY bid or offer
relating thereto which binds the sender without an additional
express written confirmation to that effect. The information is
intended solely for the individual or entity named above and access
by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution, or use of the
contents of this information is prohibited and may be unlawful. If
you have received this electronic transmission in error, please
reply immediately to the sender that you have received the message
in error, and delete it. Thank you.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project