[Freeipa-users] Sudo works for full access, but not on a per command or host level.
Dmitri Pal
dpal at redhat.com
Wed Oct 17 18:57:11 UTC 2012
On 10/17/2012 01:05 PM, Macklin, Jason wrote:
> Thanks guys! Adding the "-b" did make a world of difference though it still doesn't make anything too obvious... at least to me.
>
> [jmacklin at dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H ldap://dbduvdu145.dbr.roche.com -b "ou=SUDOers,dc=dbr,dc=roche,dc=com"
> SASL/GSSAPI authentication started
> SASL username: admin at DBR.ROCHE.COM
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <ou=SUDOers,dc=dbr,dc=roche,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # sudoers, dbr.roche.com
> dn: ou=sudoers,dc=dbr,dc=roche,dc=com
> objectClass: extensibleObject
> ou: sudoers
>
> # test4, sudoers, dbr.roche.com
> dn: cn=test4,ou=sudoers,dc=dbr,dc=roche,dc=com
> objectClass: sudoRole
> sudoUser: asteinfeld
> sudoHost: dbduwdu062.dbr.roche.com
> sudoHost: +tempsudo
> sudoCommand: ALL
> cn: test4
This means that user "asteinfeld" should be allowed to execute any
command on host "dbduwdu062.dbr.roche.com" or any host that is a member
of the "tempsudo" host group.
Is this the user you making tests with?
Keep in mind the other general per-requisits: If you use netgroups the
domain should be correct and the netgroups should be configured.
Also HBAC should allow this user to authenticate via sudo on this host.
AFAIR your HBAC is now wide open but when you start changing things to
narrow access you need to make HBAC rules for SUDO too.
>
> # switch, sudoers, dbr.roche.com
> dn: cn=switch,ou=sudoers,dc=dbr,dc=roche,dc=com
> objectClass: sudoRole
> sudoUser: oyilmaz
> sudoHost: dbdusdu071.dbr.roche.com
> sudoCommand: /bin/su
> cn: switch
This rule allows "oyilmaz" to execute one command "/bin/su" on host
"dbdusdu071.dbr.roche.com"
>
> # jing144, sudoers, dbr.roche.com
> dn: cn=jing144,ou=sudoers,dc=dbr,dc=roche,dc=com
> objectClass: sudoRole
> sudoUser: jli
> sudoHost: dbduvdu144.dbr.roche.com
> sudoCommand: ALL
> cn: jing144
I hope you can now deduce the meaning of this one :-)
>
> # Admin, sudoers, dbr.roche.com
> dn: cn=Admin,ou=sudoers,dc=dbr,dc=roche,dc=com
> objectClass: sudoRole
> sudoUser: jmacklin
> sudoUser: mrini
> sudoUser: cgajare
> sudoUser: parnold
> sudoUser: hhebert
> sudoUser: ckuecherer
> sudoUser: gferreri
> sudoHost: ALL
> sudoCommand: ALL
> cn: Admin
given users ALL commands on any host.
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 6
> # numEntries: 5
>
> I really appreciate all of the help!
>
> Cheers,
> Jason
>
So with this knowledge can you try different combinations of users and
hosts and provide the results?
You might want to remove the Admin for now to get it out of picture.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list