On 19 Jan 2018, at 15:03, Johannes-Ulrich Menzebach
We're currently evaluating moving our CentOS6 Linux workstations and servers from
OpenLDAP to AD, but would like to avoid the AD schema customization needed to put sudo
rules and autofs mappings there.
So we thought about keeping sudo and autofs info on the OpenLDAP infrastructure, while
authenticating against AD.
The latter works very nicely using "id_provider=ad".
Regarding sudo and autofs info, in sssd.conf I have set up a 2nd domain with
id_provider=ldap and auth_provider=none, referring to the old OpenLDAP server.
Indeed I've got autofs working this way (mapping NFS home directories).
sudo however does not work. It seems sssd_sudo only searches in the cache file containing
info of the AD domain (which has no sudo info).
The OpenLDAP domain ( it's ldb cache file actually carries the sudo rules as per
ldbsearch output) is apparently ignored - seems like the function
sudosrv_get_sudorules_from_cache() just looks into the AD domain's cache ( where the
account info of the current user stems from)
Is my "split" approach totally flawed? Is there a way to make it work without
patching the sssd_sudo sources to iterate over all domain caches ?
I’m afraid it is expected that this setup doesn’t work, because one of the design
decisions about the SSSD domains was that data should not overflow from one domain to
another. So a user can only leverage sudo rules from their own domain.
I haven’t tried this at all, but as long as the id_provider and auth_provider are using
ad, could you just add sudo_provider=ldap and then your sudo OpenLDAP server with as value
of ldap_uri? Since two providers of two different types also don’t share data, it might
An alternative is always to use the built-in sudo LDAP support..
I can provide sssd.conf and log files. Just wanted to hear first
about whether the approach should work at all and possible alternatives ...
Many thanks for comments/hints/proposals,
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org