On Wed, Aug 03, 2016 at 07:09:01PM +0530, Jagannath Naidu wrote:
Thank you for quick response
On Wed, Aug 3, 2016 at 4:57 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> On Wed, Aug 03, 2016 at 04:20:59PM +0530, Jagannath Naidu wrote:
> > HI List,
> >
> > I am able to do the following
> >
> > Environment:
> > windows 2012 AD
> > CentOS 6
> >
> > 1. Authenticate users based on group
> > 2. users are able to sudo
> >
> > My Question:
> >
> > Suppose I want to create multiple sudo groups, say two sudo groups.
> >
> > 1. one group has has access to use commands fdisk,chmod
> > 2. Another group has access use su command
> >
> >
> > Is it possible to differentiate users to restrict sudo access ?
>
> Restrict how?
>
Say
one group can use basic admin user commands like fdisk,chmod,chown
and one group can use super admin user commands like su,bash
Well, then does it help to put different users into different groups?
In sssd.conf we add following
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=test,dc=in
But is it not serving for multiple sudo groups
Say we have two groups in AD
cn=basic-admin,ou=sudoers,dc=test,dc=in
cn=super-admin,ou=sudoers,dc=test,dc=in
If the users are in both groups, they should have the superset of the
rules.
(Please note a user must log out for their group membership to change)
Note: Users are able ssh to the system because in sssd.conf I have
ldap_access_order = filter
ldap_access_filter =
(&(objectClass=user)(memberOf=CN=Allowed,DC=test,DC=in))
> > Please help
> > me here to resolve this issue.
>
> Users in one group would be to call fdisk and chmod, users in another
> group would be able to call su. Users in both would be able to call
> both.
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org