Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1232950
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: By definition of sudo-ldap if multiples entries match then the higher value of sudoOrder should be chosen, instead in a default integration with ipa-client the lowest value of sudoOrder is used, this conflicts with other servers authenticating with the IPA server which relies only on ldap and that don't support SSSD... Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: ipa sudorule-mod SUDORULE --order=X To check all defined orders: ipa sudorule-find|egrep 'name|order' Actual results: The wrong rule is honored. Expected results: The rule with the high sudoOrder is selected. Additional info: sudoOrder The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If thesudoOrder attribute is not present, a value of 0 is assumed. Here is the workaround: - change nsswitch.conf on line sudoers from "sudoers: files sss" to "sudoers: files ldap" - create entries on /etc/sudo-ldap.conf file specifying with: uri ldap://ipaserver01.subdomain.domain.com:389 ldap://ipaserver02.subdomain.domain.com:389 bind_timelimit 30 timelimit 30 sudoers_base ou=sudoers,dc=subdomain,dc=domain,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=subdomain,dc=domain,dc=com bindpw password Once changing sudo to use ldap instead of sssd it start working with the appropriated sudoOder as sudo is doing the sort instead of sssd (I guess that sssd doesn't pass the sudoOrder to sudo instead it does the sort by it self). The downside is that now we don't have offline cache, nor the direct integration with ipa-client installation, and there is now a file potentially exposing a password for accessing the ldap sudo schema defined on the IPA server.
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => pbrezina review: True => 0 selected: => testsupdated: => 0
milestone: NEEDS_TRIAGE => SSSD 1.13 beta
Required for downstream, but not for Beta
milestone: SSSD 1.13 beta => SSSD 1.13
This ticket has a downstream BZ link, bumping priority
priority: major => critical
patch: 0 => 1
resolution: => fixed status: new => closed
milestone: SSSD 1.13.2 => SSSD 1.13.1
Metadata Update from @jhrozek: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.13.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3723
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.