Bug 1188338
Summary: | ldap_sudo_hostnames not working | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Marco Passerini <marco.passerini> |
Component: | sssd | Assignee: | Pavel Březina <pbrezina> |
Status: | CLOSED NOTABUG | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.6 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, marco.passerini, mkosek, mzidek, pbrezina, preichl |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-09 10:43:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marco Passerini
2015-02-02 16:00:25 UTC
Can you provide your whole sssd.conf ? This is it.. I replaced the field names, but here's the server name mapping: generic_server1.mydomain.com is a hostname which provides a lot of users, all of which are supposed to be able to authenticate in this machine server1 is the real hostname of this server my-server1 is how the hostname is listed in the SUDOHost field in LDAP I know it's a bit messy but this is the case, and with the current configuration it works. If I don't enter ipa_hostname it does not let me do sudo. [domain/LDAP] ldap_id_use_start_tls = True cache_credentials = true ldap_search_base = dc=mydomain,dc=com ldap_user_search_base = ou=People,dc=mydomain,dc=com?subtree?(host=generic_server1.mydomain.com) ldap_group_search_base = ou=Groups,dc=mydomain,dc=com ldap_default_bind_dn = uid=mybind,ou=Special Users,dc=mydomain,dc=com ldap_default_authtok = ******** ldap_schema = rfc2307 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap1.mydomain.com/, ldaps://ldap2.mydomain.com/ ldap_backup_uri = ldaps://ldap3.mydomain.com ldap_tls_cacertdir = /etc/openldap/certs debug_level = 2 enumerate = true sudo_provider = ldap ldap_sudo_search_base = OU=Staff,OU=SUDOers,ou=idm,dc=mydomain,dc=com ldap_sudo_hostnames = my-server1.mydomain.com ipa_hostname = my-server1.mydomain.com access_provider = permit [sssd] services = nss, pam, sudo config_file_version = 2 domains = LDAP [nss] filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd [pam] [sudo] [autofs] [ssh] [pac] Our team's sudo expert will take a look. I don't think ipa_hostname is supposed to help, though, your config is a pure LDAP one. Hi, the thing is that sudo does not allow to specify hostname that is supposed to match sudoHost attribute. It parses sssd.conf to find ipa_hostname and use its value or use hostname of the machine. The option ldap_sudo_hostname may be used to change what rules are cached but its useless without changing the system hostname at this moment, so it is more for testing purpose. There is currently no sudo RFE to support changing the hostname AFAIK. Thank you, not our bug, then. |