Re: [SSSD-users] sssd_sudo receives 0 rules but ldap search returns 5, what is wrong?

Thu, 10 Jul 2014 01:44:28 -0700 

On 07/09/2014 10:34 PM, Jakub Hrozek wrote:


On 09 Jul 2014, at 20:00, Rich Megginson <rmegg...@redhat.com> wrote:


re: https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001891.html
<snip>

OK, I take back all that I said over on the samba list, sssd does not
pull the sudo rules from AD

I have just spent two hours trying to get sssd to get the sudo rules
from AD on my netbook that I have just installed Linux Mint mate 17 on,
to no effect.

after upping sssd debug to 9, I found this search in sssd_example.com.log:

(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))

If I try to search with this via ldbsearch, it does not work, all I get
is this:

allocating request failed: Unable to parse search expression

If I remove one small part, it does work and displays the sudo roles

So, what does this do?

(sudoHost=*\**)


I'm not sure what this search is supposed to do.  What is the intention of this? If it is to search 
for any sudoHost value with a literal asterisk "*" character in it, then the search 
filter syntax is wrong.  According to http://tools.ietf.org/html/rfc4515, if you want to use a 
"*" in a search filter, it must be escaped like this: \2A, so the search filter would be 
(sudoHost=*\2A*)



Thanks for chiming in, Rich.

Pavel, can you inspect the code and file a ticket if we have a bug?


Hi,

the search is supposed to find all rules containing a wildcard in 
sudoHost attribute. Thanks for correcting the filter.


I filed: https://fedorahosted.org/sssd/ticket/2377


In the mean time, if you don't use wildcards you can disable the filter 
with: ldap_sudo_include_regexp = false in domain section of your sssd.conf.






because I can only get the search to work without it

Rowland


_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users




_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users






















					Reply via email to