[Freeipa-users] Sudo rules w/ external users (RHEL7)
Alexander Bokovoy
abokovoy at redhat.com
Mon Apr 13 15:37:43 UTC 2015
On Mon, 13 Apr 2015, Gould, Joshua wrote:
>I’ve looked at the docs and it looks as if I can specify an external
>user who can have sudo rights via IPA.
>
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo
>
>The issue being that when I try to add my AD Trust user, it doesn’t
>allow the @ sign. (ex. gould at test.osuwmc).
>
>If I modify the sudo rule to allow all users, I can see that it allows
>my AD account sudo rights.
>
>$ sudo –l
>
>User gould at test.osuwmc may run the following commands on this host:
> (ALL : ALL) ALL
>
>How can I configure the rule to allow certain AD users to be able to
>execute certain sudo rules?
Through external users' groups mechanism we use for any other AD users
mapping in HBAC and SUDO. These are not local (not defined in IPA but
defined on the host) groups and users but rather AD groups and users.
ipa group-add --external gould_group_ext
ipa group-add-member gould_group_ext --external=gould at test.osuwmc
ipa group-add gould_group
ipa group-add-member gould_group --groups=gould_group_ext
And now make sudo rule that allows users of gould_group to run needed
commands. SSSD will pull in all membership information for gould_group,
including AD users.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list