Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 912673

Summary: "ipaEnabledFlag" ldap attribute is not set for IPA Sudo Rule and consequently disabled sudo rule does not works.
Product: Red Hat Enterprise Linux 7 Reporter: Kaleem <ksiddiqu>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Gregg <mgregg>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: chhudson, dpal, mgregg, mkosek, nalin, nsoman, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1022199 (view as bug list) Environment:
Last Closed: 2014-06-13 11:03:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1022199    

Description Kaleem 2013-02-19 11:38:01 UTC 
Description of problem:
"ipaEnabledFlag" ldap attribute is not set for IPA Sudo Rule and consequently disabled sudo rule does not works.

Version-Release number of selected component (if applicable):

SSSD and IPA-Server version:
----------------------------
[root@rhel64master ~]# rpm -q sssd ipa-server
sssd-1.9.2-82.el6.x86_64
ipa-server-3.0.0-26.el6_4.x86_64
[root@rhel64master ~]#

How reproducible:
Always

Steps to Reproduce:
1.Add a sudorule 

[root@rhel64master ~]# ipa sudorule-show sudorule1
  Rule name: sudorule1
  Enabled: TRUE
  Users: tuser1
  Hosts: rhel64client1.testrelm.com
  Sudo Allow Commands: /bin/date
  Sudo Deny Commands: /bin/uname
  RunAs Users: tuser2
  Groups of RunAs Users: localadmins
  RunAs Groups: localadmins
[root@rhel64master ~]#

2.Perform ldapsearch for the above added sudorule and look for ipaEnabledFlag attribute
 
Actual results:

ldapsearch does not shows the "ipaEnabledFlag" attribute

[root@rhel64master ~]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=sudorule1,ou=sudoers,dc=testrelm,dc=com
# extended LDIF
#
# LDAPv3
# base <cn=sudorule1,ou=sudoers,dc=testrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sudorule1, sudoers, testrelm.com
dn: cn=sudorule1,ou=sudoers,dc=testrelm,dc=com
objectClass: sudoRole
sudoUser: tuser1
sudoHost: rhel64client1.testrelm.com
sudoCommand: /bin/date
sudoCommand: !/bin/uname
sudoRunAsUser: tuser2
sudoRunAsUser: %localadmins
sudoRunAsGroup: localadmins
cn: sudorule1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@rhel64master ~]#

Expected results:
"ipaEnabledFlag" ldap attribute should be added for IPA Sudo Rule, so the Disabled sudoRule functionality can work.
Comment 2 Dmitri Pal 2013-02-19 15:06:45 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3437
Comment 3 Martin Kosek 2013-03-06 15:09:26 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/54080f46b02c04706021a6cd419f5b30d88d2b7b
ipa-3-1: https://fedorahosted.org/freeipa/changeset/50e913c65e1b880c9c534dcd199f0c56102a9f9a
Comment 8 Nalin Dahyabhai 2013-04-04 22:09:38 UTC 
This appears to be a bug in slapi-nis, as it's supposed to remove entries which are modified so that they no longer match a particular container's filter.  Any objections to reassigning and then cloning for 6.x?
Comment 9 Dmitri Pal 2013-04-05 00:30:48 UTC 
That would also mean that we would need to reevaluate whether the fix above is the right fix and patch should be reverted or not.
Comment 12 Michael Gregg 2013-12-23 22:13:53 UTC 
I do not see the ipaEnabledFlag in the new sudorule I created as per comment #1.

Please advise:

[root@blade05 ~]# ipa sudorule-show newtestrule
  Rule name: newtestrule
  Enabled: TRUE
  External User: mgregg

[root@blade05 ~]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=newtestrule,ou=sudoers,dc=testrelm,dc=com
# extended LDIF
#
# LDAPv3
# base <cn=newtestrule,ou=sudoers,dc=testrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# newtestrule, sudoers, testrelm.com
dn: cn=newtestrule,ou=sudoers,dc=testrelm,dc=com
objectClass: sudoRole
sudoUser: mgregg
cn: newtestrule

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 13 Michael Gregg 2013-12-23 22:31:58 UTC 
setting needinfo
Comment 14 Martin Kosek 2014-01-02 13:48:12 UTC 
ipaEnabledFlag is only set in the IPA SUDO rule entry, in ,cn=sudorules,cn=sudo,dc=example,dc=com. You can see it with

$ ipa sudorule-show newtestrule --all --raw

When the flag is set to FALSE, the SUDO rule is simply removed from ou=sudoers,dc=example,dc=com view
Comment 15 Ludek Smid 2014-06-13 11:03:39 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.