My ldap_sudo_search_base path end with “?onelevel?” since it’s a search base you have to give it a scope. It's working fine for us.
Sent from my Windows 10 phone From: John Beranek<mailto:[email protected]> Sent: Friday, October 13, 2017 4:07 PM To: End-user discussions about the System Security Services Daemon<mailto:[email protected]> Subject: [SSSD-users] Re: sudo does not work with SSSD On 13 October 2017 at 19:28, Asif Iqbal wrote: > Hi All > > I have this is sssd.conf > > [sudo] > debug_level = 0x3ff0 > > [domain/LDAP] > debug_level = 0x02F0 > ... > sudo_provider = ldap > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com > ldap_sudorule_object_class = mnetperson > > user can login OK with ldap, but sudo is failing > > I see the it is doing a ldapsearch like this in the sssd_sudo.log > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [iqbala@LDAP] > > It would have worked if search were like this > > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) > > How do I change the config to search like above? The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html Each LDAP object is equivalent to a line in a sudoers file. Cheers, John _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
