[Freeipa-users] Sudo configuration question

Jan Zelený jzeleny at redhat.com
Wed Dec 21 13:58:30 UTC 2011 

> On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
> > I have been working through configuring sudo via IPA and ran into the
> > following situation.
> > 
> > There is a directive in the documentation to configure
> > /etc/sssd/sssd.conf on the clients with something like the following:
> > 
> > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
> > 
> > 
> > This is pulled from the docse here for reference:
> > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identit
> > y_Management_Guide/example-configuring-sudo.html
> > 
> > This is fine and causes no problems, however, when I mistakenly left it
> > out on a few systems, sudo continued to function, so I am wondering what
> > it is that this directive does? Does this get sssd into the loop to
> > cache sudo rules for offline use?
> > 
> > Any ideas?
> 
> Sorry for the confusion in the other responses to this thread. The short
> answer is this: SUDO can use LDAP rules (as you clearly know). It does
> this with its own internal LDAP lookup (it doesn't currently go through
> SSSD to accomplish this).
> 
> However, SUDO rules can specify netgroups as part of their restrictions
> on who can do what (usually these are used to limit functions to certain
> hosts). In order to do this, SSSD needs to be configured to look up
> netgroups properly so that SUDO can use the 'getnetgrent()' glibc
> command to locate the netgroups.
> 
> The doc you are looking at is actually a bit out of date. It's no longer
> necessary to provide that option, because if it's unspecified, we set it
> automatically to cn=ng,cn=compat,dc=example,dc=com (using the
> appropriate base, of course).
> 
> Jan's comments about upstream work were that we recently made changes to
> avoid needing to use the compat tree for netgroup lookups and can
> instead use FreeIPA's native, custom schema for netgroups. That's not
> terribly relevant to you, but it's a useful piece of information.

Actually no, my comment was a reaction to the original question if the SSSD 
can get into loop to cache sudo rules for offline use.

> So, in short, you don't need to set it, the doc is outdated.


Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111221/86d9e497/attachment.sig>

More information about the Freeipa-users mailing list