On Fri, Oct 13, 2017 at 5:06 PM, John Beranek <[email protected]> wrote:
> On 13 October 2017 at 19:28, Asif Iqbal wrote: > > Hi All > > > > I have this is sssd.conf > > > > [sudo] > > debug_level = 0x3ff0 > > > > [domain/LDAP] > > debug_level = 0x02F0 > > ... > > sudo_provider = ldap > > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com > > ldap_sudorule_object_class = mnetperson > > > > user can login OK with ldap, but sudo is failing > > > > I see the it is doing a ldapsearch like this in the sssd_sudo.log > > > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_ > cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala) > (sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ > cache] > > (0x0400): Returning 0 rules for [iqbala@LDAP] > > > > It would have worked if search were like this > > > > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)( > uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) > > > > How do I change the config to search like above? > > The search it's doing is to retrieve sudo rule objects from the > directory, as defined in e.g. > https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html > > Each LDAP object is equivalent to a line in a sudoers file. > I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass. So that means I cannot use sudo for SSSD? > Cheers, > > John > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
