Bug 789477 - [RFE] SUDO: Support the IPA schema
Summary: [RFE] SUDO: Support the IPA schema
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd   
(Show other bugs)
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Namita Soman
Marc Muehlfeld
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks: 1203710 1244957
TreeView+ depends on / blocked
 
Reported: 2012-02-10 20:58 UTC by Dmitri Pal
Modified: 2016-11-04 07:07 UTC (History)
9 users (show)

Fixed In Version: sssd-1.14.0-0.1.alpha.el7
Doc Type: Enhancement
Doc Text:
SSSD now supports sudo rules stored in the IdM schema Previously, the System Security Services Daemon (SSSD) used the `ou=sudoers` container, generated by the compatibility plug-in, to fetch sudo rules. SSSD has been enhanced to support sudo rules in the `cn=sudo` container that are stored in the Identity Management (IdM) directory schema. To enable this feature, unset the "ldap_sudo_search_base" parameter in the `/etc/sssd/sssd.conf` file.
Story Points: ---
Clone Of:
: 852135 1244957 (view as bug list)
Environment:
Last Closed: 2016-11-04 07:07:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2476 normal SHIPPED_LIVE sssd bug fix and enhancement update 2016-11-03 14:08:11 UTC

Description Dmitri Pal 2012-02-10 20:58:34 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1108

The IPA server stores the sudo rules a little differently. We need to support the native sudo schema in 1.8.

This would require:
* downloading and storing the rules in sysdb in a defined format (probably the same as on server)
* when sending the data to sudo from the sudo responder, convert them to the format sudo understands

Comment 3 Jakub Hrozek 2016-01-19 16:44:09 UTC
    master:
        a7d2b4f157194c14bc4a40c74f6416b82befa460
        1476d5348fcf387e7481d833becbd993d91f8019
        f58ffb26aeaae0642a149643672fa59ec01a3a36
        8da71a9d5eebe7690b66fde8bfad195d5e3cc629
        8bd44a13de231d025882810c720dd07ca4ee564d
        43bbf5b158ec3152806791ca49ae224ee978de24
        3ff3bb43ae6509905bbf7fa6540c44cdbbd0f738
        cc7f9b639144183eb4f8bd86e5bed077da7d4e35
        ad5a48c4947183fda49308259e3411d17a8b0a13
        d06cc0974e59cd6cf1da45cc8c60d6e822b731c2
        9630a4614ba4d5f68e967d4e108893550a996f30
        a641a13889d617aca6bd998025e9087e822ff7f0
        4ddd5591c50e27dffa55f03fbce0dcc85cd50a8b
        cc7766c8456653ab5d7dedbf432cb1711a905804
        ed8650be18af26b7bf389e1246f7e8cdb363f829
        a2057618f30a3c64bdffb35a2ef3c2ba148c8a03
        0f04241fc90f134af0272eb0999e75fb6749b595
        a6dd4a6c55773e81490dcafd61d4b9782705e9bf
        b407fe0474a674bb42f0f42ab47c7f530a07a367
        cad751beaa12e34e15565bc413442b1e80ac0c29
        e085a79acfcd5331b6f99748e21765579a9a99f2
        85feb8d77a2c832787880944e02104846c4d5376
        68abbe716bed7c8d6790d9bec168ef44469306a1
        e9ae5cd285dcc8fa232e16f9c7a29f18537272f2
        1d3f5fc2802c218916e6d6bc98eeaed79c66bafe
        92ec40e6aa25f75903ffdb166a8ec56b67bfd77d
        d0599eaa9369fd867953e3c58b8d7bb445525ff5 
    sssd-1-13:
        4af65fad63a70de5515080b77bd965646e1e3fc9
        7315eed1adc4e83675b3f72a5c3fa014374bbc6d
        f58ab319363e128f817d90eb7c160e7dc9abee6c
        3d0883f56ed78b9299a3c1e21a7b16e7279ae20c
        f485bbc2c1e28f51b35f546e160a6174e6644d3a
        fe7349304170b827ddef2bdb8f858c828ddb48c7
        cab3b09bf6d9108d8498ca94c19844fa001fb827
        eac510ccc86d1d45b2cc1f0b3f9554b0a9717b78
        1dbb036f0dbe65ceba2f9eae0a1e56848149263e
        6fc3ee299f2d7103aa7357f4a91973883c487888
        2d4bc2fabba94291745112f3c9d4143d893362fb
        43f4ecef75752cc531697a4e215903657c64ca97
        599e8862a0bdd53db5dea0940ca8ae374d167846
        e1b288a9b0c40b299455ca81d0eabe1d73b31ae3
        33d4b29fd45c8f2e138121c472c541a089816d7c
        6494d7a987d895744b3ef8839866e1891df17659
        01db59be8c1175503bec23b480799f9375903884
        b6c32aeed9e02017142a88499955e6a72b103acf
        530e6e0fb086235658bd6387d83e5eddd393ef77
        04e2ea460daa6edc0b6f6ff67d14a1fd3d03e235
        4f833dc1f280f861343b022b703470a5bdddaba6
        216b846cb1acae47b80fd61fc9474b08eabe13b3
        bdfe78351ae09790205deac09027a511d4ee03cb
        c548a507e68cfe1c2ebb98e98d59101d4c4513de
        339dcc48e57d4c38fb4bc5be73cf15cf9dd46908
        f5520fc2c5e8c6a2bc5d0e73900d734e6d862545
        3063486d01c0be2ef64b884a20bfbc7f8cfd7105
        1227cd003e434ba974b6b08280f635047263a450
        69be1acf52839a8b32763397f9531f8fc4f60569

Comment 6 Marc Muehlfeld 2016-07-12 15:32:12 UTC
This feature should be listed in the RHEL 7.3 release notes.

Jakub, can you please provide some general information for the release notes in the DocText field? For example
- What is the new feature?
- How it helps the user?
- Are any config changes necessary?
- New or updated commands or options to mention?
- Anything else to mention in the release notes for this feature?

Comment 7 Lukas Slebodnik 2016-07-12 15:37:49 UTC
Pavel is an author of this feature.

Comment 8 Marc Muehlfeld 2016-08-05 06:41:57 UTC
Pavel, can you please provide us the requested information (#c6)? We need them in the short term to prepare the release note for 7.3 beta.

Comment 9 Pavel Březina 2016-08-05 08:56:54 UTC
Q: What is the new feature?
A: SSSD used ou=sudoers container generated by compatibility plugin to fetch sudo rules in older versions. This feature implements support for cn=sudo container which contains sudo rules stored in IPA sudo schema.

Q: How it helps the user?
A: This is only under the hood change which not visible to user. However, an administrator can disable compat plugin on IPA server if it doesn't need to support any legacy clients.

Q: Are any config changes necessary?
A: ldap_sudo_search_base should be unset to enable this feature

Q: New or updated commands or options to mention?
A: No.

Q: Anything else to mention in the release notes for this feature?
A: No.

Comment 13 Xiyang Dong 2016-08-22 01:59:54 UTC
Verified on sssd-1.14.0-23.el7:
Based on sssd qe tests for sudo tests on ldap_provider, verified with sudo_provider = ipa.
1.Check "defaults" entry support
2.Check rule and smart refresh mechanism
3.Stress-test smart refresh
4.Check full refresh mechanism 
5.Check attribute support
6.Check command attribute support
7.Miscellaneous tests

Comment 15 errata-xmlrpc 2016-11-04 07:07:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html


Note You need to log in before you can comment on or make changes to this bug.