[Freeipa-users] Sudo rules w/ external users (RHEL7)

[Alexander Bokovoy]

On Mon, 13 Apr 2015, Gould, Joshua wrote:
>On 4/13/15, 11:37 AM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
>>Through external users' groups mechanism we use for any other AD users
>>mapping in HBAC and SUDO. These are not local (not defined in IPA but
>>defined on the host) groups and users but rather AD groups and users.
>>
>>ipa group-add --external gould_group_ext
>>ipa group-add-member gould_group_ext --external=gould at test.osuwmc
>>ipa group-add gould_group
>>ipa group-add-member gould_group --groups=gould_group_ext
>>
>>And now make sudo rule that allows users of gould_group to run needed
>>commands. SSSD will pull in all membership information for gould_group,
>>including AD users.
>
>Just curious, but if we don¹t plan on using any IPA native users, could
>you skip the last two commands and add gould_group_ext to the sudo rule?
No. gould_group_ext has no POSIX attributes and thus is not visible to
sudo.

>I¹ve seen this same basic example used for HBAC, but it never was clear to
>me why the IPA group needed to be added if you¹re only concerned with AD
>users? Does it need to be added or do the examples include the IPA group
>because they assume that you¹ll be wanting to use a mix of AD and IPA
>users for HBAC and sudo?
A schema IPA uses for storing group membership requires existence of an
object in LDAP. AD users and groups don't exist in IPA LDAP and thus
cannot be addressed directly. For doing this we create a real LDAP
object which has reference to AD user/group's SID as a string. SSSD
knows about this arrangement and properly pulls information from this
LDAP object whenever it is encountered as a member of POSIX group. As
result, you can see AD user or group as a member of a POSIX group but we
need a helper object to allow this magic to work.

-- 
/ Alexander Bokovoy