[SSSD-users] Re: heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6

On Sun, Jan 31, 2016 at 09:58:40PM +0100, Michael Ströder wrote: I'm sorry, I will try to rephrase. If you add sudo rules to an IPA server using the "ipa sudorule" commands, the LDAP objects are added to cn=sudorules,cn=sudo,$DC tree in using a schema that is specific to IPA. The rule might look like this one on my test server: dn: ipaUniqueID=c4bba598-9f5b-11e5-8750-525400676811,cn=sudorules,cn=sudo,dc=ipa,dc=test cn: readfiles ipaenabledflag: TRUE externaluser: jsmith ipaUniqueID: c4bba598-9f5b-11e5-8750-525400676811 memberallowcmd: ipaUniqueID=cb15fdc6-9f5b-11e5-b9f5-525400676811,cn=sudocmds,cn=sudo,dc=ipa,dc=test objectClass: ipasudorule objectClass: ipaassociation However, the client side (both the LDAP connector that is built-in to sudo itself and the SSSD) only understood the schema as defined by http://linux.die.net/man/5/sudoers.ldap Therefore, there is a another subtree on the IPA server, rooted at ou=sudoers,$DC. This subtree is often called the 'compat' tree, because in was built with non-SSSD clients in mind. The objects are put into the compat tree by the slapi-nis Directory Server plugin. The rule above would be converted to: dn: cn=readfiles,ou=sudoers,dc=ipa,dc=test sudoUser: jsmith objectClass: sudoRole objectClass: top sudoCommand: /usr/bin/less cn: readfiles However, this auto-generation does not come for free and in some environments, the slapi-nis plugin was causing substantial load on the server side. So we added code to the sssd's ipa_provider to handle the objects stored at cn=sudorules,cn=sudo,$DC so that the slapi-nis plugin can be disabled. The functionality of the ipa's sudo_provider should stay the same, it's just that it's now able to process a different schema and this change allows the admin to disable the slapi-nis plugin (unless they need another piece of its functionality, which is translating the user and group objects into rfc2307 schema for legacy clients..) Yes.