[Freeipa-users] Sudo rules w/ external users (RHEL7)
Martin Kosek
mkosek at redhat.com
Tue Apr 14 06:58:16 UTC 2015
On 04/13/2015 05:37 PM, Alexander Bokovoy wrote:
> On Mon, 13 Apr 2015, Gould, Joshua wrote:
>> I’ve looked at the docs and it looks as if I can specify an external
>> user who can have sudo rights via IPA.
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo
>>
>>
>> The issue being that when I try to add my AD Trust user, it doesn’t
>> allow the @ sign. (ex. gould at test.osuwmc).
>>
>> If I modify the sudo rule to allow all users, I can see that it allows
>> my AD account sudo rights.
>>
>> $ sudo –l
>>
>> User gould at test.osuwmc may run the following commands on this host:
>> (ALL : ALL) ALL
>>
>> How can I configure the rule to allow certain AD users to be able to
>> execute certain sudo rules?
> Through external users' groups mechanism we use for any other AD users
> mapping in HBAC and SUDO. These are not local (not defined in IPA but
> defined on the host) groups and users but rather AD groups and users.
>
> ipa group-add --external gould_group_ext
> ipa group-add-member gould_group_ext --external=gould at test.osuwmc
> ipa group-add gould_group
> ipa group-add-member gould_group --groups=gould_group_ext
>
> And now make sudo rule that allows users of gould_group to run needed
> commands. SSSD will pull in all membership information for gould_group,
> including AD users.
Theoretically, adding AD users as *external* users to the SUDO rule should
work, given they are stored as a bare string, no? See example of such rule below..
# ipa sudorule-show test --all --raw
dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21
cn: test
ipaenabledflag: TRUE
hostcategory: all
externaluser: foouser
ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33
memberallowcmd:
ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21
objectClass: ipasudorule
objectClass: ipaassociation
The change in FreeIPA would be then only a matter of allowing users with '@' in
'externaluser' attribute
More information about the Freeipa-users
mailing list