[Freeipa-users] Sudo rules w/ external users (RHEL7)
Alexander Bokovoy
abokovoy at redhat.com
Tue Apr 14 08:48:59 UTC 2015
On Tue, 14 Apr 2015, Martin Kosek wrote:
>On 04/13/2015 05:37 PM, Alexander Bokovoy wrote:
>> On Mon, 13 Apr 2015, Gould, Joshua wrote:
>>> I’ve looked at the docs and it looks as if I can specify an external
>>> user who can have sudo rights via IPA.
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo
>>>
>>>
>>> The issue being that when I try to add my AD Trust user, it doesn’t
>>> allow the @ sign. (ex. gould at test.osuwmc).
>>>
>>> If I modify the sudo rule to allow all users, I can see that it allows
>>> my AD account sudo rights.
>>>
>>> $ sudo –l
>>>
>>> User gould at test.osuwmc may run the following commands on this host:
>>> (ALL : ALL) ALL
>>>
>>> How can I configure the rule to allow certain AD users to be able to
>>> execute certain sudo rules?
>> Through external users' groups mechanism we use for any other AD users
>> mapping in HBAC and SUDO. These are not local (not defined in IPA but
>> defined on the host) groups and users but rather AD groups and users.
>>
>> ipa group-add --external gould_group_ext
>> ipa group-add-member gould_group_ext --external=gould at test.osuwmc
>> ipa group-add gould_group
>> ipa group-add-member gould_group --groups=gould_group_ext
>>
>> And now make sudo rule that allows users of gould_group to run needed
>> commands. SSSD will pull in all membership information for gould_group,
>> including AD users.
>
>Theoretically, adding AD users as *external* users to the SUDO rule should
>work, given they are stored as a bare string, no? See example of such rule below..
>
># ipa sudorule-show test --all --raw
> dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21
> cn: test
> ipaenabledflag: TRUE
> hostcategory: all
> externaluser: foouser
> ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33
> memberallowcmd:
>ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21
> objectClass: ipasudorule
> objectClass: ipaassociation
>
>The change in FreeIPA would be then only a matter of allowing users with '@' in
>'externaluser' attribute
You lose validation of the user name here (we do validate that AD user
in question exists). And externaluser* options are deprecated.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list