[Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
JR Aquino
JR.Aquino at citrix.com
Thu Dec 9 18:25:28 UTC 2010
On 12/9/10 10:03 AM, "Dmitri Pal" <dpal at redhat.com> wrote:
>Nalin Dahyabhai wrote:
>> On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote:
>>
>>> I guess the piece that is still missing then is:
>>>
>>> Instead of:
>>>
>>> sudoHost: hostname.com
>>>
>>> It should be:
>>>
>>> sudoHost: +production <- which is the group assigned to the
>>>ipasudorule.
>>>
>>
>> The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in
>> the rule is a hostgroup but not a netgroup, so I think it's doing the
>> right thing by resolving the group down to its members' names.
>>
>>
>JR,
>
>Can we check that we are running with the same test data set?
>In the data set that Nalin uses the sudo rule points to a host group so
>according to the rules it gets expanded.
>Have you implemented a capability to add a netgroup to the the
>memberHost in the SUDO plugin?
>If you make a netgroup a member of the SUDO rule the compat plugin will
>do what you expect.
>
>Thanks
>Dmitri
Dmitri, you were absolutely correct!!!
Thank you for setting me straight.
Changing the memberhost in the sudorole from a hostgroup to a netgroup
solved the issue. It is representing correctly as +prod now!
Observation:
A ticket was created for me to design a 'Managed Entry' plugin which
automatically mirrored netgroups out of hostgroups which are created.
FreeIPA's implementation of sudo has thus far been separated between, an
IPAsudo object, and a compat translated sudo object.
Might it be a more lasting solution to have the compat and sudo plugin
refer to the hostgroup object and allow for the Managed Entry and 'NIS
Compat' pieces handle the sudo native translations?
That way we have a stand alone ipa centric model that allows us to
completely strip away the translation pieces when they are no longer
necessary (when sudo supports sssd).
Or would it make more sense to just modify the sudo plugin to allow for: a
single host, a hostgroup, and a netgroup as options for the memberHost
attr?
Thoughts?
More information about the Freeipa-devel
mailing list