re: https://lists.fedorahosted.org/pipermail/sssd-users/2014-July/001891.html <snip>
OK, I take back all that I said over on the samba list, sssd does not pull the sudo rules from AD
I have just spent two hours trying to get sssd to get the sudo rules from AD on my netbook that I have just installed Linux Mint mate 17 on, to no effect.
after upping sssd debug to 9, I found this search in sssd_example.com.log:
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=netbook)(sudoHost=netbook.example.com)(sudoHost=192.168.0.229)(sudoHost=192.168.0.0/24)(sudoHost=fe80::1e4b:d6ff:fec0:e307)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*?*)(sudoHost=***)(sudoHost=*[*]*))))
If I try to search with this via ldbsearch, it does not work, all I get is this:
allocating request failed: Unable to parse search expression
If I remove one small part, it does work and displays the sudo roles
So, what does this do?
(sudoHost=***)
I'm not sure what this search is supposed to do. What is the intention of this? If it is to search for any sudoHost value with a literal asterisk "*" character in it, then the search filter syntax is wrong. According to http://tools.ietf.org/html/rfc4515, if you want to use a "*" in a search filter, it must be escaped like this: \2A, so the search filter would be (sudoHost=*\2A*)
because I can only get the search to work without it
Rowland