URL: https://github.com/SSSD/sssd/pull/544
Author: jhrozek
Title: #544: IPA: Qualify the externalUser sudo attribute
Action: opened
PR body:
"""
We broke the externalUser support with the introduction of the fully
qualified attributes, because the provider was saving the data verbatim,
but the sudo responder expects a fully qualified name.
Reproducer:
on the server:
ipa sudocmd-add --desc='For reading log files' /usr/bin/less
ipa sudorule-add readfiles
ipa sudorule-add-user --users=lcluser
ipa sudorule-mod --hostcat=all readfiles
then on the client:
configure sssd with:
id_provider = files
sudo_provider = ipa
ipa_domain = ipa.test
run:
sudo useradd lcluser
sudo passwd lcluser
su - lcluser
sudo -l
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/544/head:pr544
git checkout pr544
From 03a2bb750a2f48f5c40f1c1931a8b989b1782c66 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 26 Mar 2018 11:36:00 +0200
Subject: [PATCH] IPA: Qualify the externalUser sudo attribute
We broke the externalUser support with the introduction of the fully
qualified attributes, because the provider was saving the data verbatim,
but the sudo responder expects a fully qualified name.
Reproducer:
on the server:
ipa sudocmd-add --desc='For reading log files' /usr/bin/less
ipa sudorule-add readfiles
ipa sudorule-add-user --users=lcluser
ipa sudorule-mod --hostcat=all readfiles
then on the client:
configure sssd with:
id_provider = files
sudo_provider = ipa
ipa_domain = ipa.test
run:
sudo useradd lcluser
sudo passwd lcluser
su - lcluser
sudo -l
---
src/providers/ipa/ipa_sudo_conversion.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index a96ae3447..f4da41c92 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -873,6 +873,18 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
return fqdn;
}
+static const char *
+convert_ext_user(TALLOC_CTX *mem_ctx,
+ struct ipa_sudo_conv *conv,
+ const char *value,
+ bool *skip_entry)
+{
+ char *fqdn = NULL;
+
+ fqdn = sss_create_internal_fqname(mem_ctx, value, conv->dom->name);
+ return fqdn;
+}
+
static const char *
convert_group(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
@@ -959,7 +971,7 @@ convert_attributes(struct ipa_sudo_conv *conv,
{SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL},
{SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL},
{SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup},
- {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL},
+ {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user},
{SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
{SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
{NULL, NULL, NULL}};
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
