On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal <vadud3(a)gmail.com> wrote:
On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan <dancorrigan1(a)gmail.com>
wrote:
> I'm wondering if you have even extended your LDAP schema for sudo. Sudo
> rules must follow a proper schema in order to be valid.
>
I suppose I will just use local/proxy->local with sudo since IT wont add a
sudo schema.
Appreciate the pointer!
I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which
works perfect.
So looks like sudo login with ldap password work with pam_ldap.so and
nslcd, but sssd needs a ldap sudo schema.
So if one does not have access to the LDAP server, pam_ldap + nslcd is the
only way to work since sssd won't work there.
Did I evaluate it right or is there is a workaround for sssd to work as
well?
Thanks
>
>
> On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal <vadud3(a)gmail.com> wrote:
>
>>
>>
>> On Fri, Oct 13, 2017 at 5:06 PM, John Beranek <john(a)redux.org.uk> wrote:
>>
>>> On 13 October 2017 at 19:28, Asif Iqbal wrote:
>>> > Hi All
>>> >
>>> > I have this is sssd.conf
>>> >
>>> > [sudo]
>>> > debug_level = 0x3ff0
>>> >
>>> > [domain/LDAP]
>>> > debug_level = 0x02F0
>>> > ...
>>> > sudo_provider = ldap
>>> > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com
>>> > ldap_sudorule_object_class = mnetperson
>>> >
>>> > user can login OK with ldap, but sudo is failing
>>> >
>>> > I see the it is doing a ldapsearch like this in the sssd_sudo.log
>>> >
>>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c
>>> ache]
>>> > (0x0200): Searching sysdb with
>>> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(s
>>> udoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))]
>>> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca
>>> che]
>>> > (0x0400): Returning 0 rules for [iqbala@LDAP]
>>> >
>>> > It would have worked if search were like this
>>> >
>>> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui
>>> d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
>>> >
>>> > How do I change the config to search like above?
>>>
>>> The search it's doing is to retrieve sudo rule objects from the
>>> directory, as defined in e.g.
>>>
https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
>>>
>>> Each LDAP object is equivalent to a line in a sudoers file.
>>>
>>
>> I do not manage LDAP server, IT does and ldapsearch shows there is no
>> sudoRole or any sudo* objectclass.
>>
>> So that means I cannot use sudo for SSSD?
>>
>>
>>
>>> Cheers,
>>>
>>> John
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>>
>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>
>>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?