On Wed, Nov 14, 2018 at 09:45:23AM -0800, Leonard Lawton wrote: > On 11/14/2018 12:28 AM, Jakub Hrozek wrote: > > On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote: > > > I have a group in ldap(I'm using 389DS) called "_all" which has a > > > groupofnames object class. Members are stored with the uniquemember > > > attrtibute. The users in the group are able to login fine via ssh using > > > this > > > setup. However, I can't seem to figure out how to get sudo(via ldap) to > > > work > > > with my needs. > > > The problem seems to be that I am using uniquemember which my > > > configuration > > > is not interpreting. I can't use rfc2307 and fall back to posix groups(and > > > memberUID) only as I rely heavily on the groupofnames's functionality, so > > > I > > > really need to keep that. How can I configure sssd to let me use sudo > > > while > > > having a groupofnames as an authoritative source? > > Do the groups have a gidNumber? I assume not, otherwise you'd probably > > create the groups with the posixGroup objectclass as well. > They do have a gidNumber and have both posixGroup and groupofnames object > classes.
Do they show up in the id output? > > > > In general, I don't think sudo allows this, because sudo calls > > getgrouplist(3) to see which groups the user belongs to and this call, > > being POSIX only returns POSIX groups. > > > > The schema (rfc2307 vs rfc2307bis) is not really relevant, what is > > relevant is that the groups must be visible on the OS level, e.g. with > > the id(1) call. I guess one way to go might be to create a POSIX group > > (sudo_allowed) and add the _all group as a member of this sudo_allowed > > group? > The rfc2307 vs rfc2307bis comes into play as the group members have > different attributes in posix vs groupofnames > > Example membership of group _all when populating with posixGroup > attritbutes: > memberUid: bob posixGroup does not imply memberUid, does it? > > Example membership of group _all when populating with groupofnames > attritbutes: > uniqueMember: uid=bob,dc=something > > sssd will never seem to allow memberUid /and/ uniqueMember to be searched as > group membership. yes, with ldap_schema=rfc2307bis, only 'member: $dn' is used by default by SSSD. btw it looks like your configuration doesn't override the ldap_group_member option, so I guess the uniqueMember attribute is not used? > > > Here is my config: > > > > > > [domain/dingos] > > > ldap_schema = rfc2307bis > > > ldap_group_search_base = dc=dingos?sub? > > > ldap_user_search_base = ou=people,dc=dingos > > > ldap_uri = ldaps://ldap-server > > > ldap_tls_cacertdir = /etc/openldap/cacerts > > > sudo_provider = ldap > > > ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos)) > > > id_provider = ldap > > > auth_provider = ldap > > > chpass_provider = ldap > > > cache_credentials = false > > > access_provider = ldap > > > debug_level = 0x3ff0 > > > ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos > > > entry_cache_timeout = 1 > > > > > > [sssd] > > > config_file_version = 2 > > > services = nss, pam, sudo > > > domains = dingos > > > _______________________________________________ > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org