On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan <dancorrig...@gmail.com> wrote:
> I'm wondering if you have even extended your LDAP schema for sudo. Sudo > rules must follow a proper schema in order to be valid. > I suppose I will just use local/proxy->local with sudo since IT wont add a sudo schema. Appreciate the pointer! > > > On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal <vad...@gmail.com> wrote: > >> >> >> On Fri, Oct 13, 2017 at 5:06 PM, John Beranek <j...@redux.org.uk> wrote: >> >>> On 13 October 2017 at 19:28, Asif Iqbal wrote: >>> > Hi All >>> > >>> > I have this is sssd.conf >>> > >>> > [sudo] >>> > debug_level = 0x3ff0 >>> > >>> > [domain/LDAP] >>> > debug_level = 0x02F0 >>> > ... >>> > sudo_provider = ldap >>> > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com >>> > ldap_sudorule_object_class = mnetperson >>> > >>> > user can login OK with ldap, but sudo is failing >>> > >>> > I see the it is doing a ldapsearch like this in the sssd_sudo.log >>> > >>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c >>> ache] >>> > (0x0200): Searching sysdb with >>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(s >>> udoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] >>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca >>> che] >>> > (0x0400): Returning 0 rules for [iqbala@LDAP] >>> > >>> > It would have worked if search were like this >>> > >>> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui >>> d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*))) >>> > >>> > How do I change the config to search like above? >>> >>> The search it's doing is to retrieve sudo rule objects from the >>> directory, as defined in e.g. >>> https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html >>> >>> Each LDAP object is equivalent to a line in a sudoers file. >>> >> >> I do not manage LDAP server, IT does and ldapsearch shows there is no >> sudoRole or any sudo* objectclass. >> >> So that means I cannot use sudo for SSSD? >> >> >> >>> Cheers, >>> >>> John >>> _______________________________________________ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
