On (28/02/14 10:21), Sumit Bose wrote:
On Thu, Feb 27, 2014 at 05:18:26PM +0100, Jakub Hrozek wrote:
> On Thu, Feb 27, 2014 at 01:59:57PM +0100, Pavel Březina wrote:
> > On 02/26/2014 01:54 PM, Sumit Bose wrote:
> > >Hi,
> > >
> > >this patch provides the AD sudo provider and is "inspired" by
Lukas'
> > >"SUDO: IPA provider" patch.
> > >
> > >I do not have an AD setup with sudo rules. It would be nice if someone
> > >with such setup can run some basic test otherwise I can/have to do some
> > >additional testing.
> > >
> > >Patches for master and 1.11 are attached.
> > >
> > >bye,
> > >Sumit
> >
> > Hi,
> >
> > <nitpick>
> > - 'ad': ['id', 'auth', 'access',
'chpass'],
> > + 'ad': ['id', 'auth', 'access',
'chpass', 'sudo', 'subdomains'],
> >
> > subdomains should be added in separate patch
> > </nitpick>
> >
> > code-wise ack. I will try to update ad schema and test it.
>
> The patch works fine! ACK from my side, I'll leave it up to you whether
> you'd like to split the patch into two or not.
sure, new version attached
>
> For future reference, if you want to amend the schema, you need to copy
> the AD schema file (/usr/share/doc/sudo/schema.ActiveDirectory) from sudo
>
> Then load it on AD:
> ldifde -i -f schema.ActiveDirectory -c dc=X dc=DOMAINNAME,dc=LOCAL
>
> Then just add the records. I admit I was lazy and just added the
> sudoRole objects to the same subtree as users but that doesn't matter as
> SSSD uses the top level base anyway:
> (Thu Feb 27 17:03:12 2014) [sssd[be[WIN.EXAMPLE.COM]]]
> [common_parse_search_base] (0x0100): Search base added:
> [SUDO][DC=WIN,DC=EXAMPLE,DC=COM][SUBTREE][]
>
> To add the records, I used "ADSI Edit". Just right-click the container,
> select "New->Object" and then you should see sudoRole in the list of
> objectClasses. The name of the user must be non-qualified, so from the
> following rule:
>
> dn: CN=lessrule,CN=Users,DC=WIN,DC=EXAMPLE,DC=COM
> objectClass: top
> objectClass: sudoRole
> cn: lessrule
> distinguishedName: CN=lessrule,CN=Users,DC=WIN,DC=EXAMPLE,DC=COM
> instanceType: 4
> whenCreated: 20140226161739.0Z
> whenChanged: 20140226163320.0Z
> uSNCreated: 274759
> uSNChanged: 274760
> name: lessrule
> objectGUID:: Q44OphStKUaZOkDR9eBs7A==
> objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=WIN,DC=EXAMPLE,DC=COM
> dSCorePropagationData: 16010101000000.0Z
> sudoHost: ALL
> sudoCommand: /usr/bin/less
> sudoUser: tuser(a)win.example.com
> sudoUser: Administrator
>
> Only Administrator worked. So I suspect that in order to support users
> from trusted domains, you'd have to make them a member of a group and then
> allow the rule for the group. But this is mostly academic as this
> problem is present also with sudo using the 'built-in' LDAP support and
> not SSSD.
Thanks for the instructions.
bye,
Sumit
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
From 79514e61046a5fc184c8552103e02293573fb0df Mon Sep 17 00:00:00
2001
From: Sumit Bose <sbose(a)redhat.com>
Date: Fri, 28 Feb 2014 10:04:08 +0100
Subject: [PATCH 1/2] config API: add missing subdomain target to AD provider
test
---
src/config/SSSDConfigTest.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 7cfbddc..47e9e75 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -731,7 +731,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
control_provider_dict = {
'ipa': ['id', 'auth', 'access',
'chpass', 'sudo', 'autofs',
'session', 'hostid', 'subdomains'],
- 'ad': ['id', 'auth', 'access',
'chpass'],
+ 'ad': ['id', 'auth', 'access',
'chpass', 'subdomains'],
'local': ['id', 'auth', 'chpass'],
'ldap': ['id', 'auth', 'access',
'chpass', 'sudo', 'autofs'],
'krb5': ['auth', 'access', 'chpass'],
--
1.8.3.1
From 591d2a10b7d21c6381a0dfa4c92f2ef1949ad099 Mon Sep 17 00:00:00
2001
From: Sumit Bose <sbose(a)redhat.com>
Date: Fri, 28 Feb 2014 10:05:34 +0100
Subject: [PATCH 2/2] SUDO: AD provider
This patch adds the sudo target to the AD provider. The main reason is
to cover different default settings in the LDAP and AD provider. E.g.
the default for ldap_id_mapping is True in the AD provider and False
in the LDAP provider. If ldap_id_mapping was not set explicitly in the
config file both components worked with different setting.
Fixes
https://fedorahosted.org/sssd/ticket/2256
---
Makefile.am | 5 +++++
src/config/SSSDConfigTest.py | 2 +-
src/config/etc/sssd.api.d/sssd-ad.conf | 21 +++++++++++++++++++++
src/man/sssd-ad.5.xml | 6 +++---
src/man/sssd.conf.5.xml | 15 ++++++++++++---
src/providers/ad/ad_common.h | 4 ++++
src/providers/ad/ad_init.c | 25 +++++++++++++++++++++++++
7 files changed, 71 insertions(+), 7 deletions(-)
I think you forgot to include file src/providers/ad/ad_sudo.c
into this version.
LS