I'm wondering if you have even extended your LDAP schema for sudo. Sudo
rules must follow a proper schema in order to be valid.
On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal <vadud3(a)gmail.com> wrote:
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek <john(a)redux.org.uk> wrote:
> On 13 October 2017 at 19:28, Asif Iqbal wrote:
> > Hi All
> >
> > I have this is sssd.conf
> >
> > [sudo]
> > debug_level = 0x3ff0
> >
> > [domain/LDAP]
> > debug_level = 0x02F0
> > ...
> > sudo_provider = ldap
> > ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com
> > ldap_sudorule_object_class = mnetperson
> >
> > user can login OK with ldap, but sudo is failing
> >
> > I see the it is doing a ldapsearch like this in the sssd_sudo.log
> >
> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c
> ache]
> > (0x0200): Searching sysdb with
> > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(
> sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))]
> > (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca
> che]
> > (0x0400): Returning 0 rules for [iqbala@LDAP]
> >
> > It would have worked if search were like this
> >
> > (&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui
> d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
> >
> > How do I change the config to search like above?
>
> The search it's doing is to retrieve sudo rule objects from the
> directory, as defined in e.g.
>
https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
>
> Each LDAP object is equivalent to a line in a sudoers file.
>
I do not manage LDAP server, IT does and ldapsearch shows there is no
sudoRole or any sudo* objectclass.
So that means I cannot use sudo for SSSD?
> Cheers,
>
> John
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org