Ok, that's up to your preference.
The hotfix below worked for me in my test environment and is pretty low risk.
But of course, it is not "RHEL rubber stamped". Eventually, you can evaluate
the fix yourself in a test environment.
HTH,
Martin
On 01/13/2014 02:41 PM, Fred van Zwieten wrote:
> Marti
Martin,
Sorry for the late reply.
Thanks for spotting this. I suspect I cannot "just" change ldap in our IPA.
This is part of a production environment consisting solely of supported
RHEL 6.4 servers. I can snapshot the IPA servers (they are VM's) to be able
to roll back in case of trouble, but I
Ah, I think I found the root cause. Our sudoers compat tree configuration
missed out the sudoOrder attribute. The order was thus missing in LDAP sudoers
and thus ineffective. I filed an upstream ticket to fix it:
https://fedorahosted.org/freeipa/ticket/4107
However, to hotfix it in your environmen
On 01/10/2014 04:52 PM, Fred van Zwieten wrote:
> Yes, you would expect that to help, wouldn't you :-)
Yes, I would :-)
>
> Didn't even know this existed. Thanks for that.
>
> User has 3 sudo rules. I have set the allow_all rule to 1, the second rule
> to 2 and the cobbler (with the "!authentic
Yes, you would expect that to help, wouldn't you :-)
Didn't even know this existed. Thanks for that.
User has 3 sudo rules. I have set the allow_all rule to 1, the second rule
to 2 and the cobbler (with the "!authenticate" option) rule to 99:
User may run the following commands on this
On 01/10/2014 11:52 AM, Fred van Zwieten wrote:
> Hi,
>
> I have a sudo rule in IPA that has the !authenticate option added to enable
> admins to execute certain programs as root without authentication.
>
> It doesn't work. There is another rule for the admins that allow all
> commands as long as