<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Not using SSSD because Amazon Linux does not support samba libraries required to compile it. </div></div><div class="gmail_extra"> <div class="gmail_quote">On 19 February 2016 at 14:28, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, Feb 19, 2016 at 11:27:16AM +0530, Prashant Bapat wrote: > Hi, > > I'm using FreeIPA 4.1.4 with nss-pam-ldapd and the compat schema. Why not sssd? > > I'm thinking of moving sudo rules to IPA and with *ou=sudoers* and > sudo-ldap this works. > > In our setup we have lot of rules with wildcard matching for sudo > hostnames. For ex webserver*, dbserver* etc. > > In the IPA UI, when I try to add the hostname with wildcard (*) char I get > an error from UI. * is not allowed char. > > Looks like the UI is trying to validate the hostname using > validate_dns_label in ipa/util.py and obviously * is not one of the allowed > chars. > > Taking a look at the documentation of sudo, wildcards are pretty widely > used. More info here > <a href="https://www.sudo.ws/man/1.8.15/sudoers.man.html#x57696c646361726473" rel="noreferrer" target="_blank">https://www.sudo.ws/man/1.8.15/sudoers.man.html#x57696c646361726473</a> > > Other than editing the LDAP schema outside of IPA (this will work) what are > the other options to solve this ? I guess hostgroups/netgroups are even better (more explicit) than wildcards. -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div>