[Freeipa-users] Wildcard type usage in sudo rules with FreeIPA.
Dmitri Pal
dpal at redhat.com
Thu Jan 8 15:15:53 UTC 2015
On 01/08/2015 10:00 AM, Lance Reed wrote:
> I am trying to figure out how (or if its even possible) to use
> wildcard type sudo rules in FreeIPA.
>
> I setup Sudo rules usage and so far seems to be working - at least if
> I setup ALL type rules for Hosts.
>
> However it looks like I have to add specifc allowed hosts in the GUI
> as they either appear in the host list or add them in the External
> option box. However that makes it messy / non scalable if I want to
> create a group of users that have access to a large number of host
> types, say db servers or something.
>
> File based sudo rules allow for constructs such as:
>
> someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh
>
> Which allows someuser to have sudo options on any hostname matching
> *dbserver* and then run the command allowed. This all currently seems
> doable in IPA except the wildcard part for hostnames / domains etc.
>
> Apologizes if I missed this in the docs.
>
> Thanks in advance for any ideas (command line methods?)
I think to solve this problem with IPA you need to define sudo rules for
a host group "dbserver" (or whatever name you choose)
and then use automemebership [1] rules to automatically manage the
membership of you servers in that group.
Starting 4.1 automembership rules can be reapplied to already existing
entries. [2]. Before that the rules applied only to new entries being
created.
[1] - http://www.port389.org/docs/389ds/design/automember-design.html (I
do not think there is an IPA design page but IPA uses DS plugin)
[2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership
HTH
Thanks
Dmitri
>
> Running:
> ipa-server-3.0.0-37
> sssd-1.9.2
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list