On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote: > I have a group in ldap(I'm using 389DS) called "_all" which has a > groupofnames object class. Members are stored with the uniquemember > attrtibute. The users in the group are able to login fine via ssh using this > setup. However, I can't seem to figure out how to get sudo(via ldap) to work > with my needs. > The problem seems to be that I am using uniquemember which my configuration > is not interpreting. I can't use rfc2307 and fall back to posix groups(and > memberUID) only as I rely heavily on the groupofnames's functionality, so I > really need to keep that. How can I configure sssd to let me use sudo while > having a groupofnames as an authoritative source?
Do the groups have a gidNumber? I assume not, otherwise you'd probably create the groups with the posixGroup objectclass as well. In general, I don't think sudo allows this, because sudo calls getgrouplist(3) to see which groups the user belongs to and this call, being POSIX only returns POSIX groups. The schema (rfc2307 vs rfc2307bis) is not really relevant, what is relevant is that the groups must be visible on the OS level, e.g. with the id(1) call. I guess one way to go might be to create a POSIX group (sudo_allowed) and add the _all group as a member of this sudo_allowed group? > > Here is my config: > > [domain/dingos] > ldap_schema = rfc2307bis > ldap_group_search_base = dc=dingos?sub? > ldap_user_search_base = ou=people,dc=dingos > ldap_uri = ldaps://ldap-server > ldap_tls_cacertdir = /etc/openldap/cacerts > sudo_provider = ldap > ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos)) > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > cache_credentials = false > access_provider = ldap > debug_level = 0x3ff0 > ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos > entry_cache_timeout = 1 > > [sssd] > config_file_version = 2 > services = nss, pam, sudo > domains = dingos > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
