> On Apr 5, 2018, at 3:22 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > >> On 5 Apr 2018, at 19:56, Max DiOrio <mdio...@gmail.com> wrote: >> >> I’m guessing someone was thinking that the group lookup was case sensitive >> and entered it both ways to rule that out. > > I wonder if you know how did they manage to put the duplicate entries into > AD? I tried with ADSI edit and got an error about a duplicate attribute > value. I suspect this might be a bug in SSSD. If the domain is known to be > case-insensitive, like AD and if the values differ by case only, then the > values can be just lowercased and sssd should write only the single lowercase > value (and then sssd-sudo knows to look up the rules in a case-insensitive > manner).
Quite simple, adding the value in ADUC says it already exists, but let’s you add it anyway. > >> Ends up breaking the storing of the rules and it seems if one rule fails to >> be stored, they all are. Not necessarily the best thing to do maybe? > > In the typical case I would agree, but sudo also supports exclusion > (“!command", run any command except the specified one) which I think is quite > a misfeature and then failing to save a rule might cause to fail to save the > exclusion.. > > I don’t know if anyone actually uses the exclusion, because, realistically, > with LDAP it would have to be used together with sudoOrder to make sure you > get the right ordering of rules. Maybe we could fix/extend SSSD so that if no > sudoCommand contains the exclamation, then we can be permissive in saving the > rules. Would you mind opening an upstream ticket for that? I’m not sure if > it’s something any of the core developers would jump to fixing, but it sounds > to me like a nice task for someone looking to contribute to sssd :-) > >> >> (Thu Apr 5 13:30:44 2018) [sssd[be[internal.ieeeglobalspec.com]]] >> [sysdb_store_custom] (0x0020): Failed to store custom entry: Attribute or >> value exists(20)[attribute 'sudoUser': value #5 on >> 'name=DevTest,cn=sudorules,cn=custom,cn=internal.ieeeglobalspec.com,cn=sysdb' >> provided more than once] > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org