[Freeipa-users] sudo rules in IPA infrastructure

[David Copperfield]

Hi Jakub and Rich,

Got it.

Thanks a lot on the HBAC and sudoes maps access. I think I got confused with the graph in the powerpoint presentation http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf. The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go through sssd, while other maps (sudo, autofs?)  would goes through nss_ldap.

 So it could be that FreeIPA has been further developed to provide DIRECTLY more mappings without the help of pam_(ldap/kerberos) and nss_ldap? To Rich, could you confirm that -- and probably more mappings -- in this version 2.1.3-9 on red hat 6.2? If not, how about 2.2 on Redhat 6.3Beta?  Thanks a lot.

 Have a nice weekend.

--Gelen





________________________________
 From: Jakub Hrozek <jhrozek at redhat.com>
To: Gelen James <hahaha_30k at yahoo.com> 
Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com> 
Sent: Saturday, May 19, 2012 10:16 AM
Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure
 
On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote:
>    Hi all,
>     Are the sudo rules applied to IPA clients through nss_ldap, instead of
>    sssd? 

Neither :-)

sudo looks up the user information via the standard name-service-switch
maps, so if your machine is configured to fetch user and group
information using the sss NSS module in nsswitch.conf, then the requests
get to sssd.

As Stephen Ingram pointed out elsewhere in this thread, sudo only reads
the nss_ldap/nss-pam-ldapd config files but establishes the connection
to the LDAP server and fetches the data on its own.

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120519/fb0eedc0/attachment.htm>