[Freeipa-users] Sudo issues with FreeIPA
Lukas Slebodnik
lslebodn at redhat.com
Mon Dec 23 20:34:01 UTC 2013
On (23/12/13 10:16), Dimitar Georgievski wrote:
>Hi Lukas,
>
>Does the LDAP entry need to be removed or just modified? Could the LDAP
>entry be a sudo policy assigned to the user?
>
sudo rules are special case, I didn't noticed anything about sudo rules
in the previous mail. There is periodical task in the sssd for refreshing sudo
rules because of current ldap schema.
>In my tests with modified sudo policies the cache entries would persists
>even after they were invalidated and the user re-authenticated with the
>LDAP server. Unless I wanted to wait for a smart refresh of the cache I
>had to delete the entry from the cache with ldbdel and then restart the
>SSSD daemon.
>
>I wonder if there is a better way to refresh the cache on demand.
sss_cache does not work with sudo rules. If you are testing something,
you can manually remove sssd cache (rm /var/lib/sss/db/cache_*.ldb).
If you don't like behaviour in production, you can decrease interval of refresh
update.
man sssd-sudo
-> THE SUDO RULE CACHING MECHANISM
and for sudo configuration options:
man sssd-ldap
-> SUDO OPTIONS
LS
More information about the Freeipa-users
mailing list