Hi,
maybe the man page sudoers.ldap(5) will help clarify:
     sudoOrder
           The sudoRole entries retrieved from the LDAP directory have no
           inherent order.  The sudoOrder attribute is an integer (or floating
           point value for LDAP servers that support it) that is used to sort
           the matching entries.  This allows LDAP-based sudoers entries to
           more closely mimic the behavior of the sudoers file, where the
           order of the entries influences the result.  If multiple entries
           match, the entry with the highest sudoOrder attribute is chosen.
           This corresponds to the “last match” behavior of the sudoers file.
           If the sudoOrder attribute is not present, a value of 0 is assumed.

           The sudoOrder attribute is only available in sudo versions 1.7.5
           and higher.

flo

On Fri, Dec 3, 2021 at 10:01 PM A Dam via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hi --

We have a number of sudo rules configured that conflict with each other with no defined "Sudo Order" value. Notably, there is a rule that gives some users sudo on all IPA hosts, a rule that gives a smaller subset of users sudo on host group A, and a rule that gives a smaller subset of users sudo on host group B. We are seeing inconsistent sudo behavior between host groups A and B when a user is a member of the "sudo on all hosts" rule but not the smaller subset of users for either of the two host groups -- the user in the "sudo on all hosts" rule is able to sudo on hosts in hostgroup A despite not being in the more narrowly defined sudo rule, but they are not able to sudo on hosts in hostgroup B.

What is the expected order of precedence here? Is this a race condition or is there some deterministic logic that is consistently applied to break the tie between rules with undefined sudo order values? We do plan on assigning order values to all rules to make this more explicit, but it would help to understand what the expected behavior is here until we are able to implement those changes. A pointer to the code where this is handled would be helpful as well, I wasn't able to find it easily.

Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure