On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote:
I have a group in ldap(I'm using 389DS) called "_all"
which has a
groupofnames object class. Members are stored with the uniquemember
attrtibute. The users in the group are able to login fine via ssh using this
setup. However, I can't seem to figure out how to get sudo(via ldap) to work
with my needs.
The problem seems to be that I am using uniquemember which my configuration
is not interpreting. I can't use rfc2307 and fall back to posix groups(and
memberUID) only as I rely heavily on the groupofnames's functionality, so I
really need to keep that. How can I configure sssd to let me use sudo while
having a groupofnames as an authoritative source?
Do the groups have a gidNumber? I assume not, otherwise you'd probably
create the groups with the posixGroup objectclass as well.
In general, I don't think sudo allows this, because sudo calls
getgrouplist(3) to see which groups the user belongs to and this call,
being POSIX only returns POSIX groups.
The schema (rfc2307 vs rfc2307bis) is not really relevant, what is
relevant is that the groups must be visible on the OS level, e.g. with
the id(1) call. I guess one way to go might be to create a POSIX group
(sudo_allowed) and add the _all group as a member of this sudo_allowed
group?
>
> Here is my config:
>
> [domain/dingos]
> ldap_schema = rfc2307bis
> ldap_group_search_base = dc=dingos?sub?
> ldap_user_search_base = ou=people,dc=dingos
> ldap_uri = ldaps://ldap-server
> ldap_tls_cacertdir = /etc/openldap/cacerts
> sudo_provider = ldap
> ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos))
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> cache_credentials = false
> access_provider = ldap
> debug_level = 0x3ff0
> ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos
> entry_cache_timeout = 1
>
> [sssd]
> config_file_version = 2
> services = nss, pam, sudo
> domains = dingos
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...