[Freeipa-users] Wildcard type usage in sudo rules with FreeIPA.

Dmitri Pal dpal at redhat.com
Thu Jan 8 16:00:51 UTC 2015 

On 01/08/2015 10:42 AM, Lance Reed wrote:
> Thanks Dmitri!
>
> That at least tells me to stop attempting things that are going to not work.
> I will look into the automember info.
> Currently I don't think that will work for us since we using IPA
> essentially as just LDAP and not using the IPA client (but using SSSD
> on the hosts) and I don't register hosts directly in IPA.  We did not
> really want / need that extra overhead but did like the other
> integrated components of IPA.

SSSD is the client. ipa-client is just a configuration script that 
configures SSSD.
Having a host entry has a lot of benefits for access control and policies.

It seems that you sort of a bit force limited yourself with the approach 
you have taken.


>
> Thanks so much for the info.
>
> On Thu, Jan 8, 2015 at 10:15 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> On 01/08/2015 10:00 AM, Lance Reed wrote:
>>> I am trying to figure out how (or if its even possible) to use
>>> wildcard type sudo rules in FreeIPA.
>>>
>>> I setup Sudo rules usage and so far seems to be working - at least if
>>> I setup ALL type rules for Hosts.
>>>
>>> However it looks like I have to add specifc allowed hosts in the GUI
>>> as they either appear in the host list or add them in the External
>>> option box.  However that makes it messy / non scalable if I want to
>>> create a group of users that have access to a large number of host
>>> types, say db servers or something.
>>>
>>> File based sudo rules allow for constructs such as:
>>>
>>> someusername *dbserver* = /opt/appname/admintools/run_admin_tools.sh
>>>
>>> Which allows someuser to have sudo options on any hostname matching
>>> *dbserver* and then run the command allowed.  This all currently seems
>>> doable in IPA except the wildcard part for hostnames / domains etc.
>>>
>>> Apologizes if I missed this in the docs.
>>>
>>> Thanks in advance for any ideas (command line methods?)
>>
>> I think to solve this problem with IPA you need to define sudo rules for a
>> host group "dbserver" (or whatever name you choose)
>> and then use automemebership [1] rules to automatically manage the
>> membership of you servers in that group.
>> Starting 4.1 automembership rules can be reapplied to already existing
>> entries. [2]. Before that the rules applied only to new entries being
>> created.
>>
>> [1] - http://www.port389.org/docs/389ds/design/automember-design.html (I do
>> not think there is an IPA design page but IPA uses DS plugin)
>> [2] - http://www.freeipa.org/page/V4/Automember_rebuild_membership
>>
>>
>> HTH
>> Thanks
>> Dmitri
>>>
>>> Running:
>>> ipa-server-3.0.0-37
>>> sssd-1.9.2
>>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list