2 p.m.
I've seem to have noticed a problem with using sssd with LDAP SudoHost's that
contain CIDR addresses.
We break our clusters into subnets and each have a few rules explicitly for those systems
Lets call them
cluster_a 192.168.1.0/24
cluster_b 192.168.2.0/24
cluster_c1 192.168.3.0/25
cluster_c2 192.168.3.128/25
cluster_d 192.168.4.0/23
cluster_f 192.168.6.0/24
...
cluster_z: 192.168.26.0/24
Each one may (or may not) have individual sudoUser / sudoCommand allowing certain groups
access.
So in LDAP for cluster b we have for example
dn: cn=cluster_b,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: top
objectClass: sudoRole
cn: cluster_root
sudoHost: 192.168.2.0/24
sudoUser: Buser1
sudoUser: Buser2
sudoCommand: su - sap
But then we have few additional sudo rules (mostly for administrators) which encompass
that whole group of clusters:
dn: cn=cluster_all,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: top
objectClass: sudoRole
cn: cluster_all
sudoHost: 192.168.0.0/19
sudoUser: Admin1
sudoUser: Admin2
sudoCommand: ALL
This worked fine when just using sudo pointing to our ldap server. As sudo apparently on
execution grabs all the rules and figures out if our host is in it. It has been working
like this for us for years.
But it is no longer working now that we are attempting to implement sssd caching. Namely
because sssd sends an ldap query for sudoHost={ALL, current hostname, current IP, and just
the currently used subnet (say 192.168.8.0/24) }. Not all possible larger sub ranges to
which it belongs.
We've worked around it for now by putting in all the various subranges we use, but
that has made the sudo rules in LDAP really messy and worse always subject to change as we
add an delete specialized equipment.
Can someone confirm this behavior?
6:33 a.m.
Kelley Cook wrote:
I've seem to have noticed a problem with using sssd with LDAP
SudoHost's that contain CIDR addresses.
We break our clusters into subnets and each have a few rules explicitly for those
systems
Lets call them
cluster_a 192.168.1.0/24
cluster_b 192.168.2.0/24
cluster_c1 192.168.3.0/25
cluster_c2 192.168.3.128/25
cluster_d 192.168.4.0/23
cluster_f 192.168.6.0/24
...
cluster_z: 192.168.26.0/24
Each one may (or may not) have individual sudoUser / sudoCommand allowing certain groups
access.
So in LDAP for cluster b we have for example
dn: cn=cluster_b,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: top
objectClass: sudoRole
cn: cluster_root
sudoHost: 192.168.2.0/24
sudoUser: Buser1
sudoUser: Buser2
sudoCommand: su - sap
But then we have few additional sudo rules (mostly for administrators) which encompass
that whole group of clusters:
dn: cn=cluster_all,ou=sudoers,dc=EXAMPLE,dc=COM
objectClass: top
objectClass: sudoRole
cn: cluster_all
sudoHost: 192.168.0.0/19
sudoUser: Admin1
sudoUser: Admin2
sudoCommand: ALL
This worked fine when just using sudo pointing to our ldap server. As sudo apparently on
execution grabs all the rules and figures out if our host is in it. It has been working
like this for us for years.
But it is no longer working now that we are attempting to implement sssd caching. Namely
because sssd sends an ldap query for sudoHost={ALL, current hostname, current IP, and just
the currently used subnet (say 192.168.8.0/24) }. Not all possible larger sub ranges to
which it belongs.
We've worked around it for now by putting in all the various subranges we use, but
that has made the sudo rules in LDAP really messy and worse always subject to change as we
add an delete specialized equipment.
Can someone confirm this behavior?
If I understand you correctly you're implementing something like netgroups in
sudoHost CIDR values. In general I'd say: use a decent user management to avoid
the need for that. ;-)
I'd try to set in sssd.conf:
ldap_sudo_use_host_filter = false
Ciao, Michael.
4:32 a.m.
On 04/23/2016 01:33 PM, Michael Ströder wrote:
Kelley Cook wrote:
> I've seem to have noticed a problem with using sssd with LDAP SudoHost's that
contain CIDR addresses.
>
> We break our clusters into subnets and each have a few rules explicitly for those
systems
> Lets call them
>
> cluster_a 192.168.1.0/24
> cluster_b 192.168.2.0/24
> cluster_c1 192.168.3.0/25
> cluster_c2 192.168.3.128/25
> cluster_d 192.168.4.0/23
> cluster_f 192.168.6.0/24
>
> ...
> cluster_z: 192.168.26.0/24
>
> Each one may (or may not) have individual sudoUser / sudoCommand allowing certain
groups access.
>
> So in LDAP for cluster b we have for example
> dn: cn=cluster_b,ou=sudoers,dc=EXAMPLE,dc=COM
> objectClass: top
> objectClass: sudoRole
> cn: cluster_root
> sudoHost: 192.168.2.0/24
> sudoUser: Buser1
> sudoUser: Buser2
> sudoCommand: su - sap
>
>
> But then we have few additional sudo rules (mostly for administrators) which
encompass that whole group of clusters:
>
> dn: cn=cluster_all,ou=sudoers,dc=EXAMPLE,dc=COM
> objectClass: top
> objectClass: sudoRole
> cn: cluster_all
> sudoHost: 192.168.0.0/19
> sudoUser: Admin1
> sudoUser: Admin2
> sudoCommand: ALL
>
> This worked fine when just using sudo pointing to our ldap server. As sudo
apparently on execution grabs all the rules and figures out if our host is in it. It has
been working like this for us for years.
>
> But it is no longer working now that we are attempting to implement sssd caching.
Namely because sssd sends an ldap query for sudoHost={ALL, current hostname, current IP,
and just the currently used subnet (say 192.168.8.0/24) }. Not all possible larger sub
ranges to which it belongs.
>
> We've worked around it for now by putting in all the various subranges we use,
but that has made the sudo rules in LDAP really messy and worse always subject to change
as we add an delete specialized equipment.
>
> Can someone confirm this behavior?
If I understand you correctly you're implementing something like netgroups in
sudoHost CIDR values. In general I'd say: use a decent user management to avoid
the need for that. ;-)
I'd try to set in sssd.conf:
Hi,
ldap_sudo_use_host_filter = false
yes, this option should solve your problem. You can also try
ldap_sudo_ip to specify what subnets you'd like to fetch, but it
probably won't scale well with your environment.
Ciao, Michael.
2920
days inactive
2923
days old
sssd-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Kelley Cook -
Michael Ströder -
Pavel Březina