9:21 a.m.
Hi,
the sssd's code that fetches sudo rules from the IPA server got an
overhaul recently. The search would no longer be performed against the
compat tree, but against IPA's native LDAP tree. This would have the
advantage that environments that don't use the slapi-nis' compat tree
for another reason (like old or non-Linux clients) would no longer
require slapi-nis to be running at all.
We'd like to get some tests for this new code! If you're running Fedora ,
you can just upgrade to the packages from Fedora's update testing. If
you're running RHEL-6.7 and would like to see what is cooking for 6.8,
you can try this repository:
https://copr.fedorainfracloud.org/coprs/jhrozek/SSSD-6.8-preview/
RHEL-7 wouldn't receive this code until 7.3, so we don't have test
packages for el7 yet..
11:40 a.m.
New subject: [Freeipa-users] heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6
On (27/01/16 16:21), Jakub Hrozek wrote:
Hi,
the sssd's code that fetches sudo rules from the IPA server got an
overhaul recently. The search would no longer be performed against the
compat tree, but against IPA's native LDAP tree. This would have the
advantage that environments that don't use the slapi-nis' compat tree
for another reason (like old or non-Linux clients) would no longer
require slapi-nis to be running at all.
We'd like to get some tests for this new code! If you're running Fedora ,
you can just upgrade to the packages from Fedora's update testing. If
you're running RHEL-6.7 and would like to see what is cooking for 6.8,
you can try this repository:
https://copr.fedorainfracloud.org/coprs/jhrozek/SSSD-6.8-preview/
RHEL-7 wouldn't receive this code until 7.3, so we don't have test
packages for el7 yet..
Actually, there are packages suitable for testing on rhel7.2
https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/
It's backported version from fedora 23.
LS
2:58 p.m.
New subject: heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6
Jakub Hrozek wrote:
the sssd's code that fetches sudo rules from the IPA server got
an
overhaul recently. The search would no longer be performed against the
compat tree, but against IPA's native LDAP tree. This would have the
advantage that environments that don't use the slapi-nis' compat tree
for another reason (like old or non-Linux clients) would no longer
require slapi-nis to be running at all.
Frankly I don't understand this text. Especially I don't know what the terms
"compat tree" and "IPA's native LDAP tree" really mean.
Does this only affect the IPA provider?
Ciao, Michael.
--
Michael Ströder
E-Mail: michael(a)stroeder.com
http://www.stroeder.com
2:23 a.m.
New subject: heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6
On Sun, Jan 31, 2016 at 09:58:40PM +0100, Michael Ströder wrote:
Jakub Hrozek wrote:
> the sssd's code that fetches sudo rules from the IPA server got an
> overhaul recently. The search would no longer be performed against the
> compat tree, but against IPA's native LDAP tree. This would have the
> advantage that environments that don't use the slapi-nis' compat tree
> for another reason (like old or non-Linux clients) would no longer
> require slapi-nis to be running at all.
Frankly I don't understand this text. Especially I don't know what the terms
"compat tree" and "IPA's native LDAP tree" really mean.
I'm sorry, I will try to rephrase.
If you add sudo rules to an IPA server using the "ipa sudorule"
commands, the LDAP objects are added to cn=sudorules,cn=sudo,$DC tree in
using a schema that is specific to IPA. The rule might look like this
one on my test server:
dn:
ipaUniqueID=c4bba598-9f5b-11e5-8750-525400676811,cn=sudorules,cn=sudo,dc=ipa,dc=test
cn: readfiles
ipaenabledflag: TRUE
externaluser: jsmith
ipaUniqueID: c4bba598-9f5b-11e5-8750-525400676811
memberallowcmd:
ipaUniqueID=cb15fdc6-9f5b-11e5-b9f5-525400676811,cn=sudocmds,cn=sudo,dc=ipa,dc=test
objectClass: ipasudorule
objectClass: ipaassociation
However, the client side (both the LDAP connector that is built-in to
sudo itself and the SSSD) only understood the schema as defined by
http://linux.die.net/man/5/sudoers.ldap
Therefore, there is a another subtree on the IPA server, rooted at
ou=sudoers,$DC. This subtree is often called the 'compat' tree, because
in was built with non-SSSD clients in mind. The objects are put into the
compat tree by the slapi-nis Directory Server plugin. The rule above would
be converted to:
dn: cn=readfiles,ou=sudoers,dc=ipa,dc=test
sudoUser: jsmith
objectClass: sudoRole
objectClass: top
sudoCommand: /usr/bin/less
cn: readfiles
However, this auto-generation does not come for free and in some
environments, the slapi-nis plugin was causing substantial load on the
server side. So we added code to the sssd's ipa_provider to handle the
objects stored at cn=sudorules,cn=sudo,$DC so that the slapi-nis plugin
can be disabled.
The functionality of the ipa's sudo_provider should stay the same, it's
just that it's now able to process a different schema and this change
allows the admin to disable the slapi-nis plugin (unless they need
another piece of its functionality, which is translating the user and
group objects into rfc2307 schema for legacy clients..)
Does this only affect the IPA provider?
Yes.
3000
days inactive
3005
days old
sssd-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Jakub Hrozek -
Lukas Slebodnik -
Michael Ströder