Thanks again for the explaination.
Al Licause
HP L2 UNIX Network Services
HP Customer Support Center
Hours 7am-3pm Pacific time USA
Manager: tom.cernilli(a)hp.com
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Michael Ströder
Sent: Saturday, July 27, 2013 7:52 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4
Dmitri Pal wrote:
On 07/25/2013 01:15 PM, Michael Ströder wrote:
> Jakub Hrozek wrote:
>> On Thu, Jul 25, 2013 at 03:22:20PM +0000, Licause, Al (CSC AMS BCS -
>> UNIX/Linux Network Support) wrote:
>>> Thanks very much. I'm not sure what AFAIR is but I got this
>>> working in RHEL V6.3 by reenabling
>>> sssd for authentication and then using /etc/sudo-ldap.conf for the
>>> sudo component.
>>
>> That's fine, using sssd for authentication and identity information
>> while using sudo's built-in LDAP support is perfectly supportable
>> configuration.
>
> Hmm, direct sudo-ldap does no caching of sudoRole entries. So if
> you're LDAP server is not available/reachable you're lost fixing the
> issues...
I think what Michael meant is:
Since you are using 6.3 you are using the configuration that does not
leverage SSSD integration for sudo and connects directly to LDAP
source for sudo rules. In this case there is no caching of the sudo
rules and if you loose connectivity sudo will failover to local
sudoers file. In case of 6.4 the SSSD integration is possible and SSSD
would fetch sudo rules and store them so that sudo acts consistently
whether there is connectivity to the central server or not.
Exactly.
So the point that Michael might have had (guessing here) is that it
might be better to upgrade to 6.4 to leverage SSSD integration and
caching than to use 6.3 without caching.
I did not want to make a statement about whether upgrading the distribution is better or
not since there are more things to consider.
I just wanted to point out the main difference between having 'sudoers ldap'
or 'sudoers sss' in /etc/nsswitch.conf no matter which sudo config file is used to
specify the sudo-ldap options. While it feels the same in case everything's working it
can make a difference during an emergency case.
Ciao, Michael.