I am trying to implement FreeIPA in a larger environment. Due to the complexity of the environment I've been constructing a user group structure such that i have groups at the following levels:
project --> project_at_site --> project_site_vendor HBAC rules are defined at the lowest level (vendor at site) and associated with a host group at the same level. Each of the above user group levels will have a corresponding sudo group. (Used to provide a vendor access to servers the vendor supports at a specific site at a moments notice) HBAC rules are propagating up the chain correctly. When a user is added to a top level group (e.g. project or project-sudo) the indirect membership shows up for both Sudo and HBAC rules. The problem is that I can't get the sudo privileges to work when the user shows indirect membership for the sudo rule. If i make the user a direct member of the sudo rule, i can use sudo. As I've looked at debug logs, i was able to see that the query used when i was identical when i was successful at using sudo and when i i got denied. The difference is the failure would have a message like [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [ [email protected]] The successes returned 2 rules. The only change made between the success and failure was making the user a direct member of the sudo rule where the failure was an indirect member. Thanks for any help!
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
