Thanks again for the explaination. Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cerni...@hp.com
-----Original Message----- From: sssd-users-boun...@lists.fedorahosted.org [mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Michael Ströder Sent: Saturday, July 27, 2013 7:52 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4 Dmitri Pal wrote: > On 07/25/2013 01:15 PM, Michael Ströder wrote: >> Jakub Hrozek wrote: >>> On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS - >>> UNIX/Linux Network Support) wrote: >>>> Thanks very much. I'm not sure what AFAIR is but I got this >>>> working in RHEL V6.3 by reenabling >>>> sssd for authentication and then using /etc/sudo-ldap.conf for the >>>> sudo component. >>> >>> That's fine, using sssd for authentication and identity information >>> while using sudo's built-in LDAP support is perfectly supportable >>> configuration. >> >> Hmm, direct sudo-ldap does no caching of sudoRole entries. So if >> you're LDAP server is not available/reachable you're lost fixing the >> issues... > > I think what Michael meant is: > Since you are using 6.3 you are using the configuration that does not > leverage SSSD integration for sudo and connects directly to LDAP > source for sudo rules. In this case there is no caching of the sudo > rules and if you loose connectivity sudo will failover to local > sudoers file. In case of 6.4 the SSSD integration is possible and SSSD > would fetch sudo rules and store them so that sudo acts consistently > whether there is connectivity to the central server or not. Exactly. > So the point that Michael might have had (guessing here) is that it > might be better to upgrade to 6.4 to leverage SSSD integration and > caching than to use 6.3 without caching. I did not want to make a statement about whether upgrading the distribution is better or not since there are more things to consider. I just wanted to point out the main difference between having 'sudoers ldap' or 'sudoers sss' in /etc/nsswitch.conf no matter which sudo config file is used to specify the sudo-ldap options. While it feels the same in case everything's working it can make a difference during an emergency case. Ciao, Michael. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
