On 11/11/2012 04:29 AM, Simo Sorce wrote:
On Fri, 2012-11-09 at 14:28 +0100, Pavel Březina wrote:
[PATCH 4/6]
solves 2


Hi,

Sorry, but I fail to understand why the sudo client needs to know about
sssd domains at all.
I am guilty of not having followed the original sudo patches submission
process, but without knowing if there is a valid reason it seem to me
that sudo should not know about domains at all.

Sudo is sending two subsequent requests to sssd:
- for a specific rule named cn=defaults, which contains global options
- for rules that match specific user

We need to ensure that both requests are served from the same cache.

Originally, we served cn=defaults request from the first cache containing some sudo rules and then user-rules request from cache that contains this user. This was obviously a security bug in multidomain environment so we prohibited to use this protocol (version 0) at all.

Now (since version 1) we match user to domain during cn=defaults request and send it back to sudo so we can match the user to the same domain during the second request.

https://fedorahosted.org/sssd/ticket/1239

Also by looking at the code I see that you make wrong assumptions about
the format of a fully qualified name in sudo.
It seem you assume a fully qualified name is always username@domain, but
that's just the 'default' setting, the fully qualified name format is an
option that admins can change, and the sudo client have no way to know
what that is.

Yes, I realized that with this ticket and it is no longer an issue with this patch. The domain name is now sent as a separate field.


I think before I allow to further change this protocol I need to
understand why it is transporting the domain name at all.

Simo.


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to