[Freeipa-users] [SSSD-users] Re: heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6

Mon Feb 1 08:23:07 UTC 2016

On Sun, Jan 31, 2016 at 09:58:40PM +0100, Michael Ströder wrote:
> Jakub Hrozek wrote:
> > the sssd's code that fetches sudo rules from the IPA server got an
> > overhaul recently. The search would no longer be performed against the
> > compat tree, but against IPA's native LDAP tree. This would have the
> > advantage that environments that don't use the slapi-nis' compat tree
> > for another reason (like old or non-Linux clients) would no longer
> > require slapi-nis to be running at all.
> 
> Frankly I don't understand this text. Especially I don't know what the terms
> "compat tree" and "IPA's native LDAP tree" really mean.

I'm sorry, I will try to rephrase.

If you add sudo rules to an IPA server using the "ipa sudorule"
commands, the LDAP objects are added to cn=sudorules,cn=sudo,$DC tree in
using a schema that is specific to IPA. The rule might look like this
one on my test server:
  dn: ipaUniqueID=c4bba598-9f5b-11e5-8750-525400676811,cn=sudorules,cn=sudo,dc=ipa,dc=test
  cn: readfiles
  ipaenabledflag: TRUE
  externaluser: jsmith
  ipaUniqueID: c4bba598-9f5b-11e5-8750-525400676811
  memberallowcmd: ipaUniqueID=cb15fdc6-9f5b-11e5-b9f5-525400676811,cn=sudocmds,cn=sudo,dc=ipa,dc=test
  objectClass: ipasudorule
  objectClass: ipaassociation

However, the client side (both the LDAP connector that is built-in to
sudo itself and the SSSD) only understood the schema as defined by
http://linux.die.net/man/5/sudoers.ldap

Therefore, there is a another subtree on the IPA server, rooted at
ou=sudoers,$DC. This subtree is often called the 'compat' tree, because
in was built with non-SSSD clients in mind. The objects are put into the
compat tree by the slapi-nis Directory Server plugin. The rule above would
be converted to:
    dn: cn=readfiles,ou=sudoers,dc=ipa,dc=test
    sudoUser: jsmith
    objectClass: sudoRole
    objectClass: top
    sudoCommand: /usr/bin/less
    cn: readfiles

However, this auto-generation does not come for free and in some
environments, the slapi-nis plugin was causing substantial load on the
server side. So we added code to the sssd's ipa_provider to handle the
objects stored at cn=sudorules,cn=sudo,$DC so that the slapi-nis plugin
can be disabled.

The functionality of the ipa's sudo_provider should stay the same, it's
just that it's now able to process a different schema and this change
allows the admin to disable the slapi-nis plugin (unless they need
another piece of its functionality, which is translating the user and
group objects into rfc2307 schema for legacy clients..)

> 
> Does this only affect the IPA provider?

Yes.