[Freeipa-users] Sudo rules w/ external users (RHEL7)

Martin Kosek mkosek at redhat.com
Tue Apr 14 06:58:16 UTC 2015 

On 04/13/2015 05:37 PM, Alexander Bokovoy wrote:
> On Mon, 13 Apr 2015, Gould, Joshua wrote:
>> I’ve looked at the docs and it looks as if I can specify an external
>> user who can have sudo rights via IPA.
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo
>>
>>
>> The issue being that when I try to add my AD Trust user, it doesn’t
>> allow the @ sign. (ex. gould at test.osuwmc).
>>
>> If I modify the sudo rule to allow all users, I can see that it allows
>> my AD account sudo rights.
>>
>> $ sudo –l
>>
>> User gould at test.osuwmc may run the following commands on this host:
>>    (ALL : ALL) ALL
>>
>> How can I configure the rule to allow certain AD users to be able to
>> execute certain sudo rules?
> Through external users' groups mechanism we use for any other AD users
> mapping in HBAC and SUDO. These are not local (not defined in IPA but
> defined on the host) groups and users but rather AD groups and users.
> 
> ipa group-add --external gould_group_ext
> ipa group-add-member gould_group_ext --external=gould at test.osuwmc
> ipa group-add gould_group
> ipa group-add-member gould_group --groups=gould_group_ext
> 
> And now make sudo rule that allows users of gould_group to run needed
> commands. SSSD will pull in all membership information for gould_group,
> including AD users.

Theoretically, adding AD users as *external* users to the SUDO rule should
work, given they are stored as a bare string, no? See example of such rule below..

# ipa sudorule-show test --all --raw
  dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21
  cn: test
  ipaenabledflag: TRUE
  hostcategory: all
  externaluser: foouser
  ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33
  memberallowcmd:
ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21
  objectClass: ipasudorule
  objectClass: ipaassociation

The change in FreeIPA would be then only a matter of allowing users with '@' in
'externaluser' attribute

More information about the Freeipa-users mailing list