[Freeipa-users] Wildcards in sudo external hostnames
Jakub Hrozek
jhrozek at redhat.com
Fri Feb 19 08:58:44 UTC 2016
On Fri, Feb 19, 2016 at 11:27:16AM +0530, Prashant Bapat wrote:
> Hi,
>
> I'm using FreeIPA 4.1.4 with nss-pam-ldapd and the compat schema.
Why not sssd?
>
> I'm thinking of moving sudo rules to IPA and with *ou=sudoers* and
> sudo-ldap this works.
>
> In our setup we have lot of rules with wildcard matching for sudo
> hostnames. For ex webserver*, dbserver* etc.
>
> In the IPA UI, when I try to add the hostname with wildcard (*) char I get
> an error from UI. * is not allowed char.
>
> Looks like the UI is trying to validate the hostname using
> validate_dns_label in ipa/util.py and obviously * is not one of the allowed
> chars.
>
> Taking a look at the documentation of sudo, wildcards are pretty widely
> used. More info here
> https://www.sudo.ws/man/1.8.15/sudoers.man.html#x57696c646361726473
>
> Other than editing the LDAP schema outside of IPA (this will work) what are
> the other options to solve this ?
I guess hostgroups/netgroups are even better (more explicit) than
wildcards.
More information about the Freeipa-users
mailing list