<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
I've been testing the sudo integration with IPA and I came across
some questions:<br>
<br>
1. When I disable or delete a sudo rule, it's not removed from the
ou=sudoers until I restart the directory server. Am I doing
something wrong? (389-ds-base-1.2.10.2-20.el6_3.x86_64,
slapi-nis-0.40-1.el6.x86_64)<br>
<br>
2. Perhaps the documentation should mention creating a rule called
"defaults" to put default options for all sudo rules in. Or even
better having one created by default with a fresh IPA installation.
It took me a few seconds to figure out where to put default options
for all sudo rules.<br>
<br>
3. sudo integration with SSSD does not work when anonymous LDAP
authentication is disabled at the server. Enabling verbose logging
in SSSD seem to suggest that it's attempting anonymous auth only.
(sssd-1.8.4-14.fc17.x86_64)<br>
<br>
4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'")
make sudo display these options as errors when sudo debugging is
enabled (sudoers_debug 1 in /etc/ldap.conf or /etc/sudo-ldap.conf):<br>
sudo: unknown defaults entry `env_keep '<br>
<br>
5. It would be great to have a set of sudo commands and a set of
sudo command groups installed by default. <br>
<br>
6. Adding a sudo command having multiple commands listed (such as: "<a
href="https://lieipa01.ix.nixtra.com/ipa/ui/#/sbin/route,%20/sbin/ifconfig,%20/bin/ping,%20/sbin/dhclient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconfig,%20/sbin/mii-tool">/sbin/route,
/sbin/ifconfig, /bin/ping</a>") is allowed in IPA and does list it
correctly as allowed commands when doing "sudo -l", however
attempting to execute one of the commands in the list using sudo
fails.<br>
<br>
I did my testing with IPA server 2.2 in CentOS 6.3.<br>
<br>
<br>
<br>
Regards,<br>
Siggi<br>
<br>
</body>
</html>