[SSSD-users] Re: sudo does not work with SSSD
On Mon, Oct 16, 2017 at 5:37 PM, Lukas Slebodnik wrote: > On (16/10/17 15:16), Asif Iqbal wrote: > >On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal wrote: > > > >> > >> On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan < > dancorrig...@gmail.com> > >> wrote: > >> > >>> I'm wondering if you have even extended your LDAP schema for sudo. Sudo > >>> rules must follow a proper schema in order to be valid. > >>> > >> > >> I suppose I will just use local/proxy->local with sudo since IT wont > add a > >> sudo schema. > >> > >> Appreciate the pointer! > >> > >> > >I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which > >works perfect. > > > >So looks like sudo login with ldap password work with pam_ldap.so and > >nslcd, but sssd needs a ldap sudo schema. > > > >So if one does not have access to the LDAP server, pam_ldap + nslcd is the > >only way to work since sssd won't work there. > > > >Did I evaluate it right or is there is a workaround for sssd to work as > >well? > > > > If nss-pam-ldapd is able to provide rules from LDAP server then sssd > is able to provide them as well. And there are not required any changes on > LDAP server. > This worked when I got rid of ldap_sudo* from the config and just used sudoers file and made sure uid is in local wheel group. Appreciate your help! > > Which distribution do you use? is sudo compiled there with sssd support? > ot just with ldap? >sudo -V | grep sss > > Is nsswitch configured properly with sss? >grep sudoers /etc/nsswitch.conf > > @see also > https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html > > LS > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
Asif Iqbal wrote: > Can I user sssd instead of nss-pam-ldapd for sudo authentication > only and use local sudoers file for rules? Yes. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
On Mon, Oct 16, 2017 at 5:37 PM, Lukas Slebodnik wrote: > On (16/10/17 15:16), Asif Iqbal wrote: > >On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal wrote: > > > >> > >> On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan < > dancorrig...@gmail.com> > >> wrote: > >> > >>> I'm wondering if you have even extended your LDAP schema for sudo. Sudo > >>> rules must follow a proper schema in order to be valid. > >>> > >> > >> I suppose I will just use local/proxy->local with sudo since IT wont > add a > >> sudo schema. > >> > >> Appreciate the pointer! > >> > >> > >I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which > >works perfect. > > > >So looks like sudo login with ldap password work with pam_ldap.so and > >nslcd, but sssd needs a ldap sudo schema. > > > >So if one does not have access to the LDAP server, pam_ldap + nslcd is the > >only way to work since sssd won't work there. > > > >Did I evaluate it right or is there is a workaround for sssd to work as > >well? > > > > If nss-pam-ldapd is able to provide rules from LDAP server then sssd > is able to provide them as well. And there are not required any changes on > I am using nss-pam-ldapd for sudo authentication only. I am using local sudoers for rules. Can I user sssd instead of nss-pam-ldapd for sudo authentication only and use local sudoers file for rules? > LDAP server. > > Which distribution do you use? is sudo compiled there with sssd support? > ot just with ldap? >sudo -V | grep sss > > Here is sudo -V output and I am using centos 7 in this case. http://dpaste.com/27GVJTC.txt > Is nsswitch configured properly with sss? >grep sudoers /etc/nsswitch.conf > > [root@localhost vagrant]# grep sudoers /etc/nsswitch.conf sudoers files sss @see also > https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html I will follow that when I am work tomorrow. I can access the corporate LDAP server only from work. Thanks for your help > > LS > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
On (16/10/17 15:16), Asif Iqbal wrote: >On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal wrote: > >> >> On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan >> wrote: >> >>> I'm wondering if you have even extended your LDAP schema for sudo. Sudo >>> rules must follow a proper schema in order to be valid. >>> >> >> I suppose I will just use local/proxy->local with sudo since IT wont add a >> sudo schema. >> >> Appreciate the pointer! >> >> >I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which >works perfect. > >So looks like sudo login with ldap password work with pam_ldap.so and >nslcd, but sssd needs a ldap sudo schema. > >So if one does not have access to the LDAP server, pam_ldap + nslcd is the >only way to work since sssd won't work there. > >Did I evaluate it right or is there is a workaround for sssd to work as >well? > If nss-pam-ldapd is able to provide rules from LDAP server then sssd is able to provide them as well. And there are not required any changes on LDAP server. Which distribution do you use? is sudo compiled there with sssd support? ot just with ldap? sudo -V | grep sss Is nsswitch configured properly with sss? grep sudoers /etc/nsswitch.conf @see also https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html LS ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal wrote: > > On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan > wrote: > >> I'm wondering if you have even extended your LDAP schema for sudo. Sudo >> rules must follow a proper schema in order to be valid. >> > > I suppose I will just use local/proxy->local with sudo since IT wont add a > sudo schema. > > Appreciate the pointer! > > I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which works perfect. So looks like sudo login with ldap password work with pam_ldap.so and nslcd, but sssd needs a ldap sudo schema. So if one does not have access to the LDAP server, pam_ldap + nslcd is the only way to work since sssd won't work there. Did I evaluate it right or is there is a workaround for sssd to work as well? Thanks > >> >> > >> On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal wrote: >> >>> >>> >>> On Fri, Oct 13, 2017 at 5:06 PM, John Beranek wrote: >>> On 13 October 2017 at 19:28, Asif Iqbal wrote: > Hi All > > I have this is sssd.conf > > [sudo] > debug_level = 0x3ff0 > > [domain/LDAP] > debug_level = 0x02F0 > ... > sudo_provider = ldap > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com > ldap_sudorule_object_class = mnetperson > > user can login OK with ldap, but sudo is failing > > I see the it is doing a ldapsearch like this in the sssd_sudo.log > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c ache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(s udoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca che] > (0x0400): Returning 0 rules for [iqbala@LDAP] > > It would have worked if search were like this > > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) > > How do I change the config to search like above? The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html Each LDAP object is equivalent to a line in a sudoers file. >>> >>> I do not manage LDAP server, IT does and ldapsearch shows there is no >>> sudoRole or any sudo* objectclass. >>> >>> So that means I cannot use sudo for SSSD? >>> >>> >>> Cheers, John ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> >>> >>> ___ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> >>> >> >> ___ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan wrote: > I'm wondering if you have even extended your LDAP schema for sudo. Sudo > rules must follow a proper schema in order to be valid. > I suppose I will just use local/proxy->local with sudo since IT wont add a sudo schema. Appreciate the pointer! > > > On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal wrote: > >> >> >> On Fri, Oct 13, 2017 at 5:06 PM, John Beranek wrote: >> >>> On 13 October 2017 at 19:28, Asif Iqbal wrote: >>> > Hi All >>> > >>> > I have this is sssd.conf >>> > >>> > [sudo] >>> > debug_level = 0x3ff0 >>> > >>> > [domain/LDAP] >>> > debug_level = 0x02F0 >>> > ... >>> > sudo_provider = ldap >>> > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com >>> > ldap_sudorule_object_class = mnetperson >>> > >>> > user can login OK with ldap, but sudo is failing >>> > >>> > I see the it is doing a ldapsearch like this in the sssd_sudo.log >>> > >>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c >>> ache] >>> > (0x0200): Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(s >>> udoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] >>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca >>> che] >>> > (0x0400): Returning 0 rules for [iqbala@LDAP] >>> > >>> > It would have worked if search were like this >>> > >>> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui >>> d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) >>> > >>> > How do I change the config to search like above? >>> >>> The search it's doing is to retrieve sudo rule objects from the >>> directory, as defined in e.g. >>> https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html >>> >>> Each LDAP object is equivalent to a line in a sudoers file. >>> >> >> I do not manage LDAP server, IT does and ldapsearch shows there is no >> sudoRole or any sudo* objectclass. >> >> So that means I cannot use sudo for SSSD? >> >> >> >>> Cheers, >>> >>> John >>> ___ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> >> ___ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid. On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal wrote: > > > On Fri, Oct 13, 2017 at 5:06 PM, John Beranek wrote: > >> On 13 October 2017 at 19:28, Asif Iqbal wrote: >> > Hi All >> > >> > I have this is sssd.conf >> > >> > [sudo] >> > debug_level = 0x3ff0 >> > >> > [domain/LDAP] >> > debug_level = 0x02F0 >> > ... >> > sudo_provider = ldap >> > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com >> > ldap_sudorule_object_class = mnetperson >> > >> > user can login OK with ldap, but sudo is failing >> > >> > I see the it is doing a ldapsearch like this in the sssd_sudo.log >> > >> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c >> ache] >> > (0x0200): Searching sysdb with >> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)( >> sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] >> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca >> che] >> > (0x0400): Returning 0 rules for [iqbala@LDAP] >> > >> > It would have worked if search were like this >> > >> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui >> d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) >> > >> > How do I change the config to search like above? >> >> The search it's doing is to retrieve sudo rule objects from the >> directory, as defined in e.g. >> https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html >> >> Each LDAP object is equivalent to a line in a sudoers file. >> > > I do not manage LDAP server, IT does and ldapsearch shows there is no > sudoRole or any sudo* objectclass. > > So that means I cannot use sudo for SSSD? > > > >> Cheers, >> >> John >> ___ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
On 13 October 2017 at 22:49, Asif Iqbal wrote: > > > On Fri, Oct 13, 2017 at 5:06 PM, John Beranek wrote: >> >> On 13 October 2017 at 19:28, Asif Iqbal wrote: >> > Hi All >> > >> > >> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) >> > >> > How do I change the config to search like above? >> >> The search it's doing is to retrieve sudo rule objects from the >> directory, as defined in e.g. >> https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html >> >> Each LDAP object is equivalent to a line in a sudoers file. > > > I do not manage LDAP server, IT does and ldapsearch shows there is no > sudoRole or any sudo* objectclass. > > So that means I cannot use sudo for SSSD? The LDAP directory will typically need the schema adding, including for Active Directory ( http://jhrozek.livejournal.com/3860.html ) - so, yes, you need the cooperation of the LDAP administrators in IT. John ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek wrote: > On 13 October 2017 at 19:28, Asif Iqbal wrote: > > Hi All > > > > I have this is sssd.conf > > > > [sudo] > > debug_level = 0x3ff0 > > > > [domain/LDAP] > > debug_level = 0x02F0 > > ... > > sudo_provider = ldap > > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com > > ldap_sudorule_object_class = mnetperson > > > > user can login OK with ldap, but sudo is failing > > > > I see the it is doing a ldapsearch like this in the sssd_sudo.log > > > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_ > cache] > > (0x0200): Searching sysdb with > > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala) > (sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ > cache] > > (0x0400): Returning 0 rules for [iqbala@LDAP] > > > > It would have worked if search were like this > > > > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)( > uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) > > > > How do I change the config to search like above? > > The search it's doing is to retrieve sudo rule objects from the > directory, as defined in e.g. > https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html > > Each LDAP object is equivalent to a line in a sudoers file. > I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass. So that means I cannot use sudo for SSSD? > Cheers, > > John > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
My ldap_sudo_search_base path end with “?onelevel?” since it’s a search base you have to give it a scope. It's working fine for us. Sent from my Windows 10 phone From: John Beranek<mailto:j...@redux.org.uk> Sent: Friday, October 13, 2017 4:07 PM To: End-user discussions about the System Security Services Daemon<mailto:sssd-users@lists.fedorahosted.org> Subject: [SSSD-users] Re: sudo does not work with SSSD On 13 October 2017 at 19:28, Asif Iqbal wrote: > Hi All > > I have this is sssd.conf > > [sudo] > debug_level = 0x3ff0 > > [domain/LDAP] > debug_level = 0x02F0 > ... > sudo_provider = ldap > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com > ldap_sudorule_object_class = mnetperson > > user can login OK with ldap, but sudo is failing > > I see the it is doing a ldapsearch like this in the sssd_sudo.log > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [iqbala@LDAP] > > It would have worked if search were like this > > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) > > How do I change the config to search like above? The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html Each LDAP object is equivalent to a line in a sudoers file. Cheers, John ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sudo does not work with SSSD
On 13 October 2017 at 19:28, Asif Iqbal wrote: > Hi All > > I have this is sssd.conf > > [sudo] > debug_level = 0x3ff0 > > [domain/LDAP] > debug_level = 0x02F0 > ... > sudo_provider = ldap > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com > ldap_sudorule_object_class = mnetperson > > user can login OK with ldap, but sudo is failing > > I see the it is doing a ldapsearch like this in the sssd_sudo.log > > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [iqbala@LDAP] > > It would have worked if search were like this > > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) > > How do I change the config to search like above? The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html Each LDAP object is equivalent to a line in a sudoers file. Cheers, John ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org