On Sun, Jan 31, 2016 at 09:58:40PM +0100, Michael Ströder wrote:
Jakub Hrozek wrote:
> the sssd's code that fetches sudo rules from the IPA server got an
> overhaul recently. The search would no longer be performed against the
> compat tree, but against IPA's native LDAP tree. This would have the
> advantage that environments that don't use the slapi-nis' compat tree
> for another reason (like old or non-Linux clients) would no longer
> require slapi-nis to be running at all.
Frankly I don't understand this text. Especially I don't know what the terms
"compat tree" and "IPA's native LDAP tree" really mean.
I'm sorry, I will try to rephrase.
If you add sudo rules to an IPA server using the "ipa sudorule"
commands, the LDAP objects are added to cn=sudorules,cn=sudo,$DC tree in
using a schema that is specific to IPA. The rule might look like this
one on my test server:
However, the client side (both the LDAP connector that is built-in to
sudo itself and the SSSD) only understood the schema as defined by
Therefore, there is a another subtree on the IPA server, rooted at
ou=sudoers,$DC. This subtree is often called the 'compat' tree, because
in was built with non-SSSD clients in mind. The objects are put into the
compat tree by the slapi-nis Directory Server plugin. The rule above would
be converted to:
However, this auto-generation does not come for free and in some
environments, the slapi-nis plugin was causing substantial load on the
server side. So we added code to the sssd's ipa_provider to handle the
objects stored at cn=sudorules,cn=sudo,$DC so that the slapi-nis plugin
can be disabled.
The functionality of the ipa's sudo_provider should stay the same, it's
just that it's now able to process a different schema and this change
allows the admin to disable the slapi-nis plugin (unless they need
another piece of its functionality, which is translating the user and
group objects into rfc2307 schema for legacy clients..)
Does this only affect the IPA provider?