[Freeipa-users] Sudo issues with FreeIPA

Ondrej Valousek ovalousek at vendavo.com
Mon Dec 23 15:52:54 UTC 2013 

There is the sss_cache command which should be able to handle this.
But it lookus like it can handle everything BUT sudo rules :(
Ondrej
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dimitar Georgievski [mitkany at gmail.com]
Sent: Monday, December 23, 2013 4:16 PM
To: Lukas Slebodnik
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Sudo issues with FreeIPA

Hi Lukas,

Does the LDAP entry need to be removed or just modified? Could the LDAP entry be a sudo policy assigned to the user?

In my tests with modified sudo policies the cache entries would persists even after they were invalidated and the user re-authenticated with the LDAP server.  Unless I wanted to wait for a smart refresh of the cache I had to delete the entry from the cache with ldbdel and then restart the SSSD daemon.

I wonder if there is a better way to refresh the cache on demand.

Thanks,

Dimitar



On Sat, Dec 21, 2013 at 3:28 PM, Lukas Slebodnik <lslebodn at redhat.com<mailto:lslebodn at redhat.com>> wrote:
On (20/12/13 18:42), Dimitar Georgievski wrote:
>Hi Dmitri,
>
>One follow up question about the management of the SSSD local cache. I've
>tried to clean cache entries with the sss_cache utility, but it looks like
>this utility is not working. I was able to confirm with ldbsearch that
>records for specific entries were not removed from the cache.
>
>This seems to be a bug. I can use ldpdel with a restart of the SSSD daemon,
>but just wanted to confirm with you. I suspect you would know more about
>this problem.  Unfortunately I wasn't able to find any info yet about this
>potential bug.
>
>thanks
>
>Dimitar
>
sss_cache does not remove users from cache (sss_cache -U)
This utility sets expiration of account to the past (unix time with value 1),
because user needs to be able authenticate offline.
Entry will be removed from cache if user try to
authenticate online and entry is removed from LDAP.

LS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131223/2686458e/attachment.htm>

More information about the Freeipa-users mailing list