On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal <vad...@gmail.com> wrote:
> > On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan <dancorrig...@gmail.com> > wrote: > >> I'm wondering if you have even extended your LDAP schema for sudo. Sudo >> rules must follow a proper schema in order to be valid. >> > > I suppose I will just use local/proxy->local with sudo since IT wont add a > sudo schema. > > Appreciate the pointer! > > I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which works perfect. So looks like sudo login with ldap password work with pam_ldap.so and nslcd, but sssd needs a ldap sudo schema. So if one does not have access to the LDAP server, pam_ldap + nslcd is the only way to work since sssd won't work there. Did I evaluate it right or is there is a workaround for sssd to work as well? Thanks > >> >> > >> On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal <vad...@gmail.com> wrote: >> >>> >>> >>> On Fri, Oct 13, 2017 at 5:06 PM, John Beranek <j...@redux.org.uk> wrote: >>> >>>> On 13 October 2017 at 19:28, Asif Iqbal wrote: >>>> > Hi All >>>> > >>>> > I have this is sssd.conf >>>> > >>>> > [sudo] >>>> > debug_level = 0x3ff0 >>>> > >>>> > [domain/LDAP] >>>> > debug_level = 0x02F0 >>>> > ... >>>> > sudo_provider = ldap >>>> > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com >>>> > ldap_sudorule_object_class = mnetperson >>>> > >>>> > user can login OK with ldap, but sudo is failing >>>> > >>>> > I see the it is doing a ldapsearch like this in the sssd_sudo.log >>>> > >>>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c >>>> ache] >>>> > (0x0200): Searching sysdb with >>>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(s >>>> udoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] >>>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca >>>> che] >>>> > (0x0400): Returning 0 rules for [iqbala@LDAP] >>>> > >>>> > It would have worked if search were like this >>>> > >>>> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui >>>> d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) >>>> > >>>> > How do I change the config to search like above? >>>> >>>> The search it's doing is to retrieve sudo rule objects from the >>>> directory, as defined in e.g. >>>> https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html >>>> >>>> Each LDAP object is equivalent to a line in a sudoers file. >>>> >>> >>> I do not manage LDAP server, IT does and ldapsearch shows there is no >>> sudoRole or any sudo* objectclass. >>> >>> So that means I cannot use sudo for SSSD? >>> >>> >>> >>>> Cheers, >>>> >>>> John >>>> _______________________________________________ >>>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>>> >>> >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >>> >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> >>> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org