We're currently evaluating moving our CentOS6 Linux workstations and
servers from OpenLDAP to AD, but would like to avoid the AD schema
customization needed to put sudo rules and autofs mappings there.
So we thought about keeping sudo and autofs info on the OpenLDAP
infrastructure, while authenticating against AD.
The latter works very nicely using "id_provider=ad".
Regarding sudo and autofs info, in sssd.conf I have set up a 2nd domain
with id_provider=ldap and auth_provider=none, referring to the old
OpenLDAP server.
Indeed I've got autofs working this way (mapping NFS home directories).
sudo however does not work. It seems sssd_sudo only searches in the
cache file containing info of the AD domain (which has no sudo info).
The OpenLDAP domain ( it's ldb cache file actually carries the sudo
rules as per ldbsearch output) is apparently ignored - seems like the
function sudosrv_get_sudorules_from_cache() just looks into the AD
domain's cache ( where the account info of the current user stems from)
Is my "split" approach totally flawed? Is there a way to make it work
without patching the sssd_sudo sources to iterate over all domain caches ?
I can provide sssd.conf and log files. Just wanted to hear first about
whether the approach should work at all and possible alternatives ...
Many thanks for comments/hints/proposals,
Uli
Show replies by date