[Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
Dmitri Pal
dpal at redhat.com
Thu Dec 9 18:03:28 UTC 2010
Nalin Dahyabhai wrote:
> On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote:
>
>> I guess the piece that is still missing then is:
>>
>> Instead of:
>>
>> sudoHost: hostname.com
>>
>> It should be:
>>
>> sudoHost: +production <- which is the group assigned to the ipasudorule.
>>
>
> The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in
> the rule is a hostgroup but not a netgroup, so I think it's doing the
> right thing by resolving the group down to its members' names.
>
>
JR,
Can we check that we are running with the same test data set?
In the data set that Nalin uses the sudo rule points to a host group so
according to the rules it gets expanded.
Have you implemented a capability to add a netgroup to the the
memberHost in the SUDO plugin?
If you make a netgroup a member of the SUDO rule the compat plugin will
do what you expect.
Thanks
Dmitri
> Nalin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list