URL:
https://github.com/SSSD/sssd/pull/138
Author: justin-stephenson
Title: #138: IPA: Skip conflict entries associated with sudo rules
Action: opened
PR body:
"""
SSSD retrieves sudo rule information from the IPA LDAP tree, conflict entries will cause
problems for SSSD and disallow sudo access when SSSD code is parsing entries associated
with sudo rules. This PR sets a skip_entry boolean when it is appropriate and skips over
these conflict entries.
Ticket:
https://fedorahosted.org/sssd/ticket/3288
Reproducer steps: Create host conflict entry and associate it with a sudo rule that is
assigned to certain hosts, attempt to sudo as IDM user. I had some difficulty attempting
to force replication issues causing the creation of a conflict entry, the below manual
ldapmodify steps will work also:
- Retrieve the DN of the sudoRule
`# ipa sudorule-find --all --raw | grep 'dn: '
dn:
ipaUniqueID=e9025c46-ddab-11e6-9096-525400af7498,cn=sudorules,cn=sudo,dc=jstephen,dc=local`
- Run ldapmodify similar to below
dn:
ipaUniqueID=e9025c46-ddab-11e6-9096-525400af7498,cn=sudorules,cn=sudo,dc=jstephen,dc=local
changetype: modify
add: memberHost
memberHost:
fqdn=testhost.jstephen.local+nsuniqueid=cb3d7383-ddb511e6-8c9996c1-71a1e36a,cn=computers,cn=accounts,dc=jstephen,dc=local
"""
To pull the PR as Git branch:
git remote add ghsssd
https://github.com/SSSD/sssd
git fetch ghsssd pull/138/head:pr138
git checkout pr138