I have a group in ldap(I'm using 389DS) called "_all" which has a
groupofnames object class. Members are stored with the uniquemember
attrtibute. The users in the group are able to login fine via ssh using
this setup. However, I can't seem to figure out how to get sudo(via
ldap) to work with my needs.
The problem seems to be that I am using uniquemember which my
configuration is not interpreting. I can't use rfc2307 and fall back to
posix groups(and memberUID) only as I rely heavily on the groupofnames's
functionality, so I really need to keep that. How can I configure sssd
to let me use sudo while having a groupofnames as an authoritative source?
Here is my config:
[domain/dingos]
ldap_schema = rfc2307bis
ldap_group_search_base = dc=dingos?sub?
ldap_user_search_base = ou=people,dc=dingos
ldap_uri = ldaps://ldap-server
ldap_tls_cacertdir = /etc/openldap/cacerts
sudo_provider = ldap
ldap_access_filter = (|(memberof=cn=_all,ou=hosts,ou=roles,dc=dingos))
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
cache_credentials = false
access_provider = ldap
debug_level = 0x3ff0
ldap_sudo_search_base = ou=SUDOers,ou=roles,dc=dingos
entry_cache_timeout = 1
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = dingos