On Пят, 29 ліс 2024, Richard Doerwaldt via sssd-users wrote:
I've configured sudo to use the ipa backend basically using the config
ipa-client-install generated for me and it's mostly working.
However, when I configure sudo rules in FreeIPA with hostgroups
containing a large amount of hosts, and I attempt to run sudo with an
emptied sssd cache I get delays as sssd looks up the hosts in those
netgroups, sometimes leading to timeouts when these lookups exceed
ldap_search_timeout. I don't think looking up the hosts the netgroups
should be required to evaluate the sudo rules.
SUDO does evaluate netgroups mentioned in the SUDO rules. So it needs to
know that information. It uses innetgr(3) to request evaluation of the
host's presence in the netgroup.
Basically, the flow is
- collect SUDO rules (sssd)
- provide SUDO rules to SUDO via SSSD plugin
- SUDO performs rule evaluation
- for each rule with a netgroup, a match is attempted via
innetgr(3) call
- innetgr(3) will ask all configured netgroup plugins in glibc for
their data, including SSSD
- SSSD will have to pull all netgroups that this host or a is
a member of.
Configuring ignore_group_members=True unfortunately doesn't seem to
help me here.
I don't think SSSD ignores membership for netgroups.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
