I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek john@redux.org.uk wrote:
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c
ache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(
sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))]
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca
che]
(0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui
d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass.
So that means I cannot use sudo for SSSD?
Cheers,
John _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org