[Freeipa-users] sudo rules are not active immediatly
Pavel Březina
pbrezina at redhat.com
Thu Feb 9 09:51:54 UTC 2017
On 02/08/2017 04:03 PM, Nathanaël Blanchet wrote:
>
>
> Le 08/02/2017 à 13:00, Pavel Březina a écrit :
>> On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
>>> Hello,
>>> on latest IPA, when adding a command to a rule or a sudo option for
>>> example, the change is not active on the user session.
>>> For example, after removing !authenticate option, I still can execute
>>> sudo commands without password.
>>> I tried to logout and relogin, but nothing changes, but on a new vm
>>> where never logeed in before it wroks.
>>> Is there a cache or somting to do so as to commands to be immediatly
>>> available?
>>>
>>
>> Hi,
>> sudo rules are cache on the client and refresh happens periodically.
>> We have several update mechanisms that deals with finding new rules,
>> deleting non-existent ones and updating expired but it cannot be
>> performed on desired at the moment. We have a ticket for that [1].
>> Please see 'man sssd-sudo' to get better understanding how it works.
>>
> it's said that sssd-sudo has been created to be near of the local
> sudoers functionnment. So I suppose the three described mechanisms are
> intended to converge to a near realtime rule change.
> It's true that waiting for an undefinied time, rules become available...
> but is there an estimated time of availibility? Is it rather 15min or
> one hour (I suppose beyond is not usable)
>> It is possible to expired cached rules with sss_cache. This won't find
>> you newly added rules but it will fetch updated rules and removed
>> deleted ones.
>>
>> [1] https://fedorahosted.org/sssd/ticket/2884
Depending on how often does your environment change, you can adjust sudo
rules updates with following options:
- entry_cache_sudo_timeout -- how long is the cache ruled valid, when
the timeout is exceeded the rule is updated from ldap
- ldap_sudo_smart_refresh_interval -- periodical update that fetches
newly added or modified rules from the last lookup (uses
modifyTimestamp/entryUSN operational attribute to do so)
- ldap_sudo_full_refresh_interval -- periodical update that simply
deletes current cached rules and downloads those stored in ldap
More information about the Freeipa-users
mailing list