[Freeipa-users] FreeIPA, SSSD, sudo and Local Users

[Trevor T Kates (Services - 6)]

Hi all:

I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a quirky
problem. From what I've read thus far, sudo under SSSD can't provide sudo  rules
for local users that are not part of the directory. To get around this, I've been
using the sudo-ldap.conf file to provide sudo with direct access to the directory.
This, however, can't make use of service discovery, so if the first server in the
ldap_uri list is taken down, sudo delays for the length of the timeout set. My
idea for getting around this has been to use sudo in SSSD for users that are in
the directory and let sudo-ldap take care of local users with a line in nsswitch.conf
like this:

sudoers: files sss ldap

My problem now seems to be that the ldap query is still run even if a successful hit
is made to sssd. Changing the line in nsswitch.conf to:

sudoers: files sss [success=return] ldap

doesn't seem to actually work.

Does anyone have pointers on how I can resolve this particular problem?

Thanks!


Trevor T. Kates




CONFIDENTIALITY NOTICE:  This electronic message contains information which may be legally confidential and or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect.  The information is intended solely for the individual or entity named above and access by anyone else is unauthorized.  If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful.  If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it.  Thank you.