Hi,
maybe the man page sudoers.ldap(5) will help clarify:
sudoOrder
The sudoRole entries retrieved from the LDAP directory have no
inherent order. The sudoOrder attribute is an integer (or
floating
point value for LDAP servers that support it) that is used to
sort
the matching entries. This allows LDAP-based sudoers entries to
more closely mimic the behavior of the sudoers file, where the
order of the entries influences the result. If multiple entries
match, the entry with the highest sudoOrder attribute is chosen.
This corresponds to the “last match” behavior of the sudoers
file.
If the sudoOrder attribute is not present, a value of 0 is
assumed.
The sudoOrder attribute is only available in sudo versions 1.7.5
and higher.
flo
On Fri, Dec 3, 2021 at 10:01 PM A Dam via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi --
We have a number of sudo rules configured that conflict with each other
with no defined "Sudo Order" value. Notably, there is a rule that gives
some users sudo on all IPA hosts, a rule that gives a smaller subset of
users sudo on host group A, and a rule that gives a smaller subset of users
sudo on host group B. We are seeing inconsistent sudo behavior between host
groups A and B when a user is a member of the "sudo on all hosts" rule but
not the smaller subset of users for either of the two host groups -- the
user in the "sudo on all hosts" rule is able to sudo on hosts in hostgroup
A despite not being in the more narrowly defined sudo rule, but they are
not able to sudo on hosts in hostgroup B.
What is the expected order of precedence here? Is this a race condition or
is there some deterministic logic that is consistently applied to break the
tie between rules with undefined sudo order values? We do plan on assigning
order values to all rules to make this more explicit, but it would help to
understand what the expected behavior is here until we are able to
implement those changes. A pointer to the code where this is handled would
be helpful as well, I wasn't able to find it easily.
Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure