[Freeipa-devel] Where we are with SUDO?
JR Aquino
JR.Aquino at citrix.com
Wed Nov 24 17:32:21 UTC 2010
Progress!
Ok, here is the latest data from the lab.
The compat translation is almost there!!!
* The sudoers container has correctly been moved out to the top of the
tree. I think it only needs 1 small final edit, the sudo ldap default is
to look for: ou=sudoers, rather than what is currently "cn=sudoers"
* sudoUser correctly translates to a %<usergroup_name>
* sudoCommand: correctly translates to the individual members of the
ipaSudoCmdGroup
* sudoHost: is incorrectly enumerating the individual members of the
ipaHostgroup
This similar to how sudoCommand is being populated.
It wants to be like how sudoUser is being populated.
sudoHost: +prod
Here is the ldapsearch for the pieces that need adjustment.
# prod, hostgroups, accounts, example.com
dn: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com
objectClass: ipaobject
objectClass: ipahostgroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
cn: prod
description: prod
ipaUniqueID: 15261e98-f7ee-11df-968e-8a3d259cb0b9
member:
fqdn=auth3.ops.example.com,cn=computers,cn=accounts,dc=example,dc=com
# sudoers, example.com
dn: cn=sudoers, dc=example,dc=com
objectClass: extensibleObject
cn: sudoers
# operations, sudoers, example.com
dn: cn=operations,cn=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ops
sudoHost: auth3.ops.example.com
sudoCommand: /usr/bin/less
cn: operations
Thank you very much for your help Nalin!
More information about the Freeipa-devel
mailing list