This feels like a valid bug/typo. I think it may be worth a ticket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC | Certified Incident Handler GIAC | WebApp Penetration Tester GXPN | GIAC Advanced Penetration Tester and Exploit Researcher Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 [email protected]<mailto:[email protected]> http://www.citrixonline.com On Oct 11, 2013, at 11:54 PM, "Benjamin Franzke" <[email protected]<mailto:[email protected]>> wrote: From a quick grep: src/providers/ldap/ldap_opts.h:310 struct sdap_attr_map native_sudorule_map[] = { { "ldap_sudorule_object_class", "sudoRole", SYSDB_SUDO_CACHE_OC, NULL }, sudoRole is mapped to SYSDB_SUDO_CACHE_OC, which is: src/db/sysdb_sudo.h:36 #define SYSDB_SUDO_CACHE_OC "sudoRule" So the query you're seeing seems to be a query to the cache (local sysdb). Dont know though whether that is a typo or really wanted, i dont have much insight as well. 2013/10/11 JR Aquino <[email protected]<mailto:[email protected]>> This was asked in the SUDO-users mailing list today. It seemed like something important to cover in here as well. From: <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> Subject: [sudo-users] objectClass=sudoRule vs objectClass=sudoRole in AD Date: October 11, 2013 5:53:44 AM PDT To: <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> How does the query for sudo rules in AD even work when the debug shows a query such as: (&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=test.user)(sudoUser=#1215014110)(sudoUser=%test_rmm_linux_users)(sudoUser=%Domain Users)(sudoUser=%Domain Users)(sudoUser=+*))) If I execute this on the command line using ldapsearch I get no results. If I change objectClass to objectClass=sudoRole in the same seach, ldapsearch works perfectly. I created the sudoers ou and objects using the guidance in the sudoers documentation on sudo.ws<http://sudo.ws>. Thanks for the insight. Curtis Roze ____________________________________________________________ sudo-users mailing list <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users _______________________________________________ sssd-devel mailing list [email protected]<mailto:[email protected]> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
