LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   SSSD SUDO ldap enabled issues (https://www.linuxquestions.org/questions/linux-server-73/sssd-sudo-ldap-enabled-issues-4175527789/)

CaptKrunch 12-09-2014 08:02 AM
SSSD SUDO ldap enabled issues
 
Hi there!

I've been struggling with this for a while now and I can't seem to wrap my brain around it.

I've followed the basic of how to export all your SUDO rules to LDAP and make SSSD read them, but for some reason, it won't allow the people in the group to get access to those rules.

So far, this is what I've done:

1. Import the sudo SCHEMA in my ldap server. I can confirmed it worked (sudoRole)objectClass
2. create the ou ou=SUDOers,dc=domain,dc=local
3. create the rule:
Code:
dn: cn=test,ou=SUDOers,dc=domain,dc=local
objectClass: top
objectClass: sudoRole
cn: test
sudoUser: +unix_group
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
4: In my sssd.conf, I have the usual options that you will find in this typical setup.
Code:
[domain/default]
ldap_sudo_search_base = ou=SUDOers,dc=domain,dc=local
...
....
[sudo]
the +unix_group is a group inside ldap that has all users that I want the cn=test rule to apply to.

Am I doing this right? So far, it's not working for me, the error i'm having is "user is not allowed to run sudo on palpatine.

Thanks :)

buttugly 12-09-2014 04:36 PM
https://fedoraproject.org/wiki/Featu...SD#How_To_Test

http://www.openldap.org/lists/openld.../msg00116.html


This one not so much...

http://unix.stackexchange.com/questi...th-user-groups

as it was never answered.

CaptKrunch 12-10-2014 05:49 AM
Thanks for the link buttugly. I've already seen those links unfortunately.

I'm following the same settings as they are using. The sudoUSer +unix_group is actually an ldap group with members inside.


All times are GMT -5. The time now is 05:51 AM.