<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr"> Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, that works well. And I believe that with EL5, there is no sssd support for sudo, hence it's configured via /etc/ldap.conf The situation I see is that sudo rule is successful only when using ALL for hosts, the example of debug message is: sudo: ldap sudoHost 'ALL' ... MATCH! Otherwise, it doesn't work and the message is: sudo: ldap sudoHost '+hostg_build' ... not The "hostg_build" is IPA host group, and if I read "man sudoers.ldap" correctly, sudoHost expects host netgroup (prefixed with a <code style="font-size: 12pt;">'+'</code>). Is there any resolution here? thanks, Zarko </div> </body> </html>