On 11/14/2018 12:28 AM, Jakub Hrozek wrote:
On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote:
I have a group in ldap(I'm using 389DS) called "_all" which has a
groupofnames object class. Members are stored with the uniquemember
attrtibute. The users in the group are able to login fine via ssh using this
setup. However, I can't seem to figure out how to get sudo(via ldap) to work
with my needs.
The problem seems to be that I am using uniquemember which my configuration
is not interpreting. I can't use rfc2307 and fall back to posix groups(and
memberUID) only as I rely heavily on the groupofnames's functionality, so I
really need to keep that. How can I configure sssd to let me use sudo while
having a groupofnames as an authoritative source?
Do the groups have a gidNumber? I assume not, otherwise you'd probably
create the groups with the posixGroup objectclass as well.
They do have a gidNumber and have both posixGroup and groupofnames object classes.

In general, I don't think sudo allows this, because sudo calls
getgrouplist(3) to see which groups the user belongs to and this call,
being POSIX only returns POSIX groups.

The schema (rfc2307 vs rfc2307bis) is not really relevant, what is
relevant is that the groups must be visible on the OS level, e.g. with
the id(1) call. I guess one way to go might be to create a POSIX group
(sudo_allowed) and add the _all group as a member of this sudo_allowed
group?
The rfc2307 vs rfc2307bis comes into play as the group members have different attributes in posix vs groupofnames

Example membership of group _all when populating with posixGroup attritbutes:
memberUid: bob

Example membership of group _all when populating with groupofnames attritbutes:
uniqueMember: uid=bob,dc=something

sssd will never seem to allow memberUid and uniqueMember to be searched as group membership.

      
Here is my config:

[domain/dingos]
ldap_schema = rfc2307bis
ldap_group_search_base = dc=dingos?sub?
ldap_user_search_base = ou=people,dc=dingos
ldap_uri = ldaps://ldap-server
ldap_tls_cacertdir = /etc/openldap/cacerts
sudo_provider = ldap
ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos))
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
cache_credentials = false
access_provider = ldap
debug_level = 0x3ff0
ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos
entry_cache_timeout = 1

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = dingos
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org