Thanks much. That was my interpretation too. Unfortunately depending on schedules and in some cases internal platform testing and assurance, it’s not always possible to upgrade in a timely manner for many customers.
I’m hoping for now that this customer will be satisfied with the performance from the v6.3 RH implementation. As the man pages state, the interaction between client and ldap server is minimal compared to a full user authentication……so hopefully a non-cached sudo user hit won’t be too harmful in their opinions. Of course as was indicated, if the ldap server is unreachable, it will prevent the sudo command from working. Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cerni...@hp.com From: sssd-users-boun...@lists.fedorahosted.org [mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Dmitri Pal Sent: Thursday, July 25, 2013 2:23 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4 On 07/25/2013 01:15 PM, Michael Ströder wrote: Jakub Hrozek wrote: On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL V6.3 by reenabling sssd for authentication and then using /etc/sudo-ldap.conf for the sudo component. That's fine, using sssd for authentication and identity information while using sudo's built-in LDAP support is perfectly supportable configuration. Hmm, direct sudo-ldap does no caching of sudoRole entries. So if you're LDAP server is not available/reachable you're lost fixing the issues... Ciao, Michael. I think what Michael meant is: Since you are using 6.3 you are using the configuration that does not leverage SSSD integration for sudo and connects directly to LDAP source for sudo rules. In this case there is no caching of the sudo rules and if you loose connectivity sudo will failover to local sudoers file. In case of 6.4 the SSSD integration is possible and SSSD would fetch sudo rules and store them so that sudo acts consistently whether there is connectivity to the central server or not. So the point that Michael might have had (guessing here) is that it might be better to upgrade to 6.4 to leverage SSSD integration and caching than to use 6.3 without caching. HTH _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
