<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 12/21/2011 04:37 AM, Stephen Gallagher wrote: <blockquote cite="mid:1324474664.2278.48.camel@sgallagh520.sgallagh.bos.redhat.com" type="cite"> <pre wrap="">On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: </pre> <blockquote type="cite"> <pre wrap="">I have been working through configuring sudo via IPA and ran into the following situation. There is a directive in the documentation to configure /etc/sssd/sssd.conf on the clients with something like the following: ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com This is pulled from the docse here for reference: <a class="moz-txt-link-freetext" href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html">http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html</a> This is fine and causes no problems, however, when I mistakenly left it out on a few systems, sudo continued to function, so I am wondering what it is that this directive does? Does this get sssd into the loop to cache sudo rules for offline use? Any ideas? </pre> </blockquote> <pre wrap="">Sorry for the confusion in the other responses to this thread. The short answer is this: SUDO can use LDAP rules (as you clearly know). It does this with its own internal LDAP lookup (it doesn't currently go through SSSD to accomplish this). However, SUDO rules can specify netgroups as part of their restrictions on who can do what (usually these are used to limit functions to certain hosts). In order to do this, SSSD needs to be configured to look up netgroups properly so that SUDO can use the 'getnetgrent()' glibc command to locate the netgroups. The doc you are looking at is actually a bit out of date. It's no longer necessary to provide that option, because if it's unspecified, we set it automatically to cn=ng,cn=compat,dc=example,dc=com (using the appropriate base, of course). Jan's comments about upstream work were that we recently made changes to avoid needing to use the compat tree for netgroup lookups and can instead use FreeIPA's native, custom schema for netgroups. That's not terribly relevant to you, but it's a useful piece of information. So, in short, you don't need to set it, the doc is outdated. </pre> <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> Ok thanks, that makes sense. One final question here, is there a way to verify that sssd is in fact setting this properly? Not that I doubt you of course, it is just a matter of so many versions of sssd in so many places that it would be good to verify that it works automagically on RHEL 5, 6, and whatever else, say Ubuntu etc. -Erinn </body> </html>