I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal <[email protected]> wrote: > > > On Fri, Oct 13, 2017 at 5:06 PM, John Beranek <[email protected]> wrote: > >> On 13 October 2017 at 19:28, Asif Iqbal wrote: >> > Hi All >> > >> > I have this is sssd.conf >> > >> > [sudo] >> > debug_level = 0x3ff0 >> > >> > [domain/LDAP] >> > debug_level = 0x02F0 >> > ... >> > sudo_provider = ldap >> > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com >> > ldap_sudorule_object_class = mnetperson >> > >> > user can login OK with ldap, but sudo is failing >> > >> > I see the it is doing a ldapsearch like this in the sssd_sudo.log >> > >> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c >> ache] >> > (0x0200): Searching sysdb with >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)( >> sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] >> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca >> che] >> > (0x0400): Returning 0 rules for [iqbala@LDAP] >> > >> > It would have worked if search were like this >> > >> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui >> d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) >> > >> > How do I change the config to search like above? >> >> The search it's doing is to retrieve sudo rule objects from the >> directory, as defined in e.g. >> https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html >> >> Each LDAP object is equivalent to a line in a sudoers file. >> > > I do not manage LDAP server, IT does and ldapsearch shows there is no > sudoRole or any sudo* objectclass. > > So that means I cannot use sudo for SSSD? > > > >> Cheers, >> >> John >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
