They do have a gidNumber and have both posixGroup and groupofnames object classes.On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote:I have a group in ldap(I'm using 389DS) called "_all" which has a groupofnames object class. Members are stored with the uniquemember attrtibute. The users in the group are able to login fine via ssh using this setup. However, I can't seem to figure out how to get sudo(via ldap) to work with my needs. The problem seems to be that I am using uniquemember which my configuration is not interpreting. I can't use rfc2307 and fall back to posix groups(and memberUID) only as I rely heavily on the groupofnames's functionality, so I really need to keep that. How can I configure sssd to let me use sudo while having a groupofnames as an authoritative source?Do the groups have a gidNumber? I assume not, otherwise you'd probably create the groups with the posixGroup objectclass as well.
The rfc2307 vs rfc2307bis comes into play as the group members have different attributes in posix vs groupofnamesIn general, I don't think sudo allows this, because sudo calls getgrouplist(3) to see which groups the user belongs to and this call, being POSIX only returns POSIX groups. The schema (rfc2307 vs rfc2307bis) is not really relevant, what is relevant is that the groups must be visible on the OS level, e.g. with the id(1) call. I guess one way to go might be to create a POSIX group (sudo_allowed) and add the _all group as a member of this sudo_allowed group?
Here is my config: [domain/dingos] ldap_schema = rfc2307bis ldap_group_search_base = dc=dingos?sub? ldap_user_search_base = ou=people,dc=dingos ldap_uri = ldaps://ldap-server ldap_tls_cacertdir = /etc/openldap/cacerts sudo_provider = ldap ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos)) id_provider = ldap auth_provider = ldap chpass_provider = ldap cache_credentials = false access_provider = ldap debug_level = 0x3ff0 ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos entry_cache_timeout = 1 [sssd] config_file_version = 2 services = nss, pam, sudo domains = dingos _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org