On Wed, Sep 10, 2014 at 09:58:27PM +0000, Trevor T Kates (Services - 6) wrote: > Hi all: > > I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a > quirky > problem. From what I've read thus far, sudo under SSSD can't provide sudo > rules > for local users that are not part of the directory. To get around this, I've > been > using the sudo-ldap.conf file to provide sudo with direct access to the > directory. > This, however, can't make use of service discovery, so if the first server in > the > ldap_uri list is taken down, sudo delays for the length of the timeout set. My > idea for getting around this has been to use sudo in SSSD for users that are > in > the directory and let sudo-ldap take care of local users with a line in > nsswitch.conf > like this: > > sudoers: files sss ldap
I think this is more of a sudo question and I'm not too familiar with the sudo code to answer this question well. I added the sudo Fedora maintainer to CC, maybe he has some ideas? > > My problem now seems to be that the ldap query is still run even if a > successful hit > is made to sssd. Changing the line in nsswitch.conf to: > > sudoers: files sss [success=return] ldap I don't think [success=return] will work here. Despite sudoers being configured in nsswitch.conf, it's not actually a NSS map handled by glibc. sudo itself parses the file.. > > doesn't seem to actually work. > > Does anyone have pointers on how I can resolve this particular problem? > > Thanks! > > > Trevor T. Kates > > > > > CONFIDENTIALITY NOTICE: This electronic message contains information which > may be legally confidential and or privileged and does not in any case > represent a firm ENERGY COMMODITY bid or offer relating thereto which binds > the sender without an additional express written confirmation to that effect. > The information is intended solely for the individual or entity named above > and access by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, distribution, or use of the contents of > this information is prohibited and may be unlawful. If you have received > this electronic transmission in error, please reply immediately to the sender > that you have received the message in error, and delete it. Thank you. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
