URL: https://github.com/SSSD/sssd/pull/544 Author: jhrozek Title: #544: IPA: Qualify the externalUser sudo attribute Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/544/head:pr544 git checkout pr544
From 86d31351861bed9c993f100f6603b1c9cff754c3 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Mon, 26 Mar 2018 11:36:00 +0200 Subject: [PATCH] IPA: Qualify the externalUser sudo attribute We broke the externalUser support with the introduction of the fully qualified attributes, because the provider was saving the data verbatim, but the sudo responder expects a fully qualified name. Reproducer: on the server: ipa sudocmd-add --desc='For reading log files' /usr/bin/less ipa sudorule-add readfiles ipa sudorule-add-user --users=lcluser ipa sudorule-mod --hostcat=all readfiles then on the client: configure sssd with: id_provider = files sudo_provider = ipa ipa_domain = ipa.test run: sudo useradd lcluser sudo passwd lcluser su - lcluser sudo -l --- src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index a96ae3447..bfa66b2c6 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx, return fqdn; } +static const char * +convert_ext_user(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + return sss_create_internal_fqname(mem_ctx, value, conv->dom->name); +} + static const char * convert_group(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, @@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv, {SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL}, {SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL}, {SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup}, - {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL}, + {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user}, {SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, {SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, {NULL, NULL, NULL}};
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org