[Freeipa-devel] Where we are with SUDO?

Dmitri Pal dpal at redhat.com
Wed Nov 24 18:22:41 UTC 2010 

JR Aquino wrote:
> Progress!
>
> Ok, here is the latest data from the lab.
>
> The compat translation is almost there!!!
>
> * The sudoers container has correctly been moved out to the top of the
> tree.  I think it only needs 1 small final edit, the sudo ldap default is
> to look for: ou=sudoers, rather than what is currently "cn=sudoers"
>
>   
Does this matter because the SUDO clients in your deployment look for
"ou" rather than "cn" or it is a general convention?


> * sudoUser correctly translates to a %<usergroup_name>
> * sudoCommand: correctly translates to the individual members of the
> ipaSudoCmdGroup
> * sudoHost: is incorrectly enumerating the individual members of the
> ipaHostgroup
>
> This similar to how sudoCommand is being populated.
>
> It wants to be like how sudoUser is being populated.
>
> sudoHost: +prod
>
> Here is the ldapsearch for the pieces that need adjustment.
>
> # prod, hostgroups, accounts, example.com
> dn: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com
> objectClass: ipaobject
> objectClass: ipahostgroup
> objectClass: nestedGroup
> objectClass: groupOfNames
> objectClass: top
> cn: prod
> description: prod
> ipaUniqueID: 15261e98-f7ee-11df-968e-8a3d259cb0b9
> member: 
> fqdn=auth3.ops.example.com,cn=computers,cn=accounts,dc=example,dc=com
>
>
> # sudoers, example.com
> dn: cn=sudoers, dc=example,dc=com
> objectClass: extensibleObject
> cn: sudoers
>
> # operations, sudoers, example.com
> dn: cn=operations,cn=sudoers,dc=example,dc=com
> objectClass: sudoRole
> sudoUser: %ops
> sudoHost: auth3.ops.example.com
> sudoCommand: /usr/bin/less
> cn: operations
>
>
>   

Currently it functions as originally specified i.e. it expand the hosts
when a host group is referenced directly.
Please create a nis netgroup and add a host group into it manually.
Point the sudo rule you created to the netgroup rather than to the host
group directly
In this case you should get what you are currently looking for i.e.
+prod (if that would be the name of the netgroup).
If that works the sudo part will be done and we would need to focus on
one of the variants of keeping the netgroups and host groups in synch as
was proposed in other thread.

> Thank you very much for your help Nalin!
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list