Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1232950
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem:
By definition of sudo-ldap if multiples entries match then the higher value of
sudoOrder should be chosen, instead in a default integration with ipa-client
the lowest value of sudoOrder is used, this conflicts with other servers
authenticating with the IPA server which relies only on ldap and that don't
Version-Release number of selected component (if applicable):
Steps to Reproduce:
ipa sudorule-mod SUDORULE --order=X
To check all defined orders:
ipa sudorule-find|egrep 'name|order'
The wrong rule is honored.
The rule with the high sudoOrder is selected.
The sudoRole entries retrieved from the LDAP directory have no inherent
order. The sudoOrder attribute is an integer (or floating point value for
LDAP servers that support it) that is used to sort the matching entries.
This allows LDAP-based sudoers entries to more closely mimic the
behaviour of the sudoers file, where the of the entries influences the
result. If multiple entries match, the entry with the highest sudoOrder
attribute is chosen. This corresponds to the "last match" behavior of the
sudoers file. If thesudoOrder attribute is not present, a value of 0 is
Here is the workaround:
- change nsswitch.conf on line sudoers from "sudoers: files sss" to "sudoers:
- create entries on /etc/sudo-ldap.conf file specifying with:
Once changing sudo to use ldap instead of sssd it start working with the
appropriated sudoOder as sudo is doing the sort instead of sssd (I guess that
sssd doesn't pass the sudoOrder to sudo instead it does the sort by it self).
The downside is that now we don't have offline cache, nor the direct
integration with ipa-client installation, and there is now a file potentially
exposing a password for accessing the ldap sudo schema defined on the IPA
design_review: => 0
mark: no => 0
owner: somebody => pbrezina
review: True => 0
testsupdated: => 0
milestone: NEEDS_TRIAGE => SSSD 1.13 beta
Required for downstream, but not for Beta
milestone: SSSD 1.13 beta => SSSD 1.13
This ticket has a downstream BZ link, bumping priority
priority: major => critical
patch: 0 => 1
resolution: => fixed
status: new => closed
milestone: SSSD 1.13.2 => SSSD 1.13.1
Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.1
to comment on this ticket.