On 13 October 2017 at 19:28, Asif Iqbal wrote:
> Hi All
>
> I have this is sssd.conf
>
> [sudo]
> debug_level = 0x3ff0
>
> [domain/LDAP]
> debug_level = 0x02F0
> ...
> sudo_provider = ldap
> ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com The search it's doing is to retrieve sudo rule objects from the
> ldap_sudorule_object_class = mnetperson
>
> user can login OK with ldap, but sudo is failing
>
> I see the it is doing a ldapsearch like this in the sssd_sudo.log
>
> (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
> (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala) (sudoUser=#408462)(sudoUser=% iqbala)(sudoUser=+*)))]
> (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 0 rules for [iqbala@LDAP]
>
> It would have worked if search were like this
>
> (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)( uid=iqbala)(sudoUser=#408462)( sudoUser=%iqbala)(sudoUser=+*) ))
>
> How do I change the config to search like above?
directory, as defined in e.g.
https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
Cheers,
John
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org