Andrew Meyer wrote:
What would the equivalent of Cmnd_Alias DEVS? Is that somewhere in the documentation? I was also trying to find something to convert my sudoers to what it would be in IPA commands.
For Cmnd_Alias I'm not sure if it is supported or documented. IPA just uses the standard sudo LDAP schema so you could start with the sudoers.ldap man page I guess. I don't recall a specific option in IPA sudocmd to do that though, but I've been out of the game for a while.
I'm 99% sure there is no sudoers -> IPA conversion script. It's certainly a nice-to-have but it'd probably be death by a thousand cuts to try to implement such a thing and be useful for more than 80% of users.
rob
On Thursday, November 2, 2017 4:02 PM, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Andrew Meyer via FreeIPA-users wrote:
In preparation for a migration I am trying to setup sudoers within freeipa. I have about a dozen people that will need to sudo to another user and run commands. However I want to add all the commands for that user into my rule.
would this be best practice to add ALL the commands into 1 rule? or should I do a sudocmdgroup?
Up to you but that's what the groups were made for: to combine a common set of commands together to make management easier. Seems to fit well.
ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commands
Would I just put a comma after each command? Or should I do this all individually and add all the commands to a cmd group?
Try: --sudocmds={"/usr/bin/vim","cat /etc/passwd",...}
Bash will expand it.
I'd use a group though so you can make one change and affect any/all rules.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org