Hello all,
I have the following setup:
389-ds server and various machines are configured to retrieve user information via SSSD.
There is an user in the ldap server, called userx. This user is used by HP UCMDB to log in machines and perform discovery of installed packages, settings etc. Due to the nature of the HP product, it requires passwordless sudo.
As I read, there is no way for ldap user to be added in sudoers file vith NOPASSWD option, is this correct?
Regards,
On Fri, 2015-10-30 at 14:29 +0200, Todor Petkov wrote:
Hello all,
I have the following setup:
389-ds server and various machines are configured to retrieve user information via SSSD.
There is an user in the ldap server, called userx. This user is used by HP UCMDB to log in machines and perform discovery of installed packages, settings etc. Due to the nature of the HP product, it requires passwordless sudo.
As I read, there is no way for ldap user to be added in sudoers file vith NOPASSWD option, is this correct?
There is no reason you can't add NOPASSWD to a user in sudoers regardless of if they are resolved from ldap, sssd, or local.
Alternatelly, you can add NOPASSWD to a group, and make the ldap user a member of the group.
On 02/11/2015 03:33 AM, William Brown wrote:
There is no reason you can't add NOPASSWD to a user in sudoers regardless of if they are resolved from ldap, sssd, or local.
Alternatelly, you can add NOPASSWD to a group, and make the ldap user a member of the group.
Hello,
my bad, I meant that I have added the line in sudoers, but it was not working.
However, I have added the user as "uniquemember" of the group, not just "gidNumber" and it's OK now.
Thanks.
On 02/11/2015 10:20 AM, Todor Petkov wrote:
Hello,
my bad, I meant that I have added the line in sudoers, but it was not working.
However, I have added the user as "uniquemember" of the group, not just "gidNumber" and it's OK now.
Thanks.
Hi,
small update:
when the group is with NOPASSWD:ALL, it's not working. If the user has specific record, it's OK.
I can change the sudoers record with pssh, but if someone can give a hint how to make the group record working, I will appreciate it.
Regards,
To get NOPASSWD behavior when using ldap to distribute your sudo records, you need to add a sudo options attribute to the sudo rule in ldap to negate the default authentication requirement.
authenticate:
If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default may be overridden via the PASSWD and NOPASSWD tags. This flag is on by default.
To negate it, place a '!' in front of it as the value to a sudo options attribute in ldap.
On Mon, Nov 2, 2015 at 7:02 AM, Todor Petkov zakk@online.bg wrote:
On 02/11/2015 10:20 AM, Todor Petkov wrote:
Hello,
my bad, I meant that I have added the line in sudoers, but it was not working.
However, I have added the user as "uniquemember" of the group, not just "gidNumber" and it's OK now.
Thanks.
Hi,
small update:
when the group is with NOPASSWD:ALL, it's not working. If the user has specific record, it's OK.
I can change the sudoers record with pssh, but if someone can give a hint how to make the group record working, I will appreciate it.
Regards,
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 11/02/2015 07:02 AM, Todor Petkov wrote:
when the group is with NOPASSWD:ALL, it's not working. If the user has specific record, it's OK.
I can change the sudoers record with pssh, but if someone can give a hint how to make the group record working, I will appreciate it.
First, check your user's actual group membership resolution:
$ id myuser
Second, make sure that the group's name, specified in the sudoers file, is prefixed with a '%' character.
389-users@lists.fedoraproject.org