URL: https://github.com/SSSD/sssd/pull/39 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
jhrozek commented: """ Are you sure this is enough? Because when the patch is applied, I see that we only match the sudoUser value with the original case. Don't we also need to match the lowercase version of the username? This is what sssd_sudo searches for: ``` (Thu Nov 10 13:11:01 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=Administrator)(sudoUser=#679800500)(sudoUser=%Group\20Policy\20Creator\20Owners)(sudoUser=%Enterprise\20Admins)(sudoUser=%Domain\20Admins)(sudoUser=%Schema\20Admins)(sudoUser=%Domain\20Users)(sudoUser=%Denied\20RODC\20Password\20Replication\20Group)(sudoUser=%sudogroup)(sudoUser=%Domain\20Users)(sudoUser=+*)))] ``` And this is the rule definition: ``` dn: name=morerule,cn=sudorules,cn=custom,cn=win.trust.test,cn=sysdb cn: morerule dataExpireTimestamp: 1478785266 entryUSN: 65695 name: morerule objectClass: sudoRule originalDN: CN=morerule,OU=sudoers,DC=win,DC=trust,DC=test sudoCommand: /bin/more sudoCommand: /usr/bin/more sudoHost: ALL sudoUser: administrator distinguishedName: name=morerule,cn=sudorules,cn=custom,cn=win.trust.test,cn=s ysdb ``` So """ See the full comment at https://github.com/SSSD/sssd/pull/39#issuecomment-259675726
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
