freeipa

Clone
Source Code
GIT

054a068 sudorule-add-user: allow to reference users and groups from trusted domains directly

1 file Authored by abbra 4 years ago, Committed by rcritten 4 years ago,
raw patch tree parent
1 file changed. 75 lines added. 20 lines removed.
ipaserver/plugins/sudorule.py
file modified
+75 -20 
    sudorule-add-user: allow to reference users and groups from trusted domains directly
    
    Allow specifying AD users and groups from trusted Active Directory
    forests in `ipa sudorule-add/remove-user` family of commands.
    
    SSSD uses single attribute 'externalUser' for IPA to pull 'external'
    objects referenced in SUDO rules. This means both users and groups are
    represented within the same attribute, with groups prefixed with '%',
    as described in sudoers(5) man page.
    
    Add member type validators to 'ipa sudorule-add/remove-user' family
    commands and rely on member type validators from 'idviews' plugin to
    resolve trusted objects.
    
    Referencing fully qualified names for users and groups from trusted
    Active Directory domains in 'externalUser' attribute of SUDO rules is
    supported in SSSD 2.4 or later.
    
    RN: IPA now supports adding users and groups from trusted Active
    RN: Directory domains in SUDO rules without an intermediate non-POSIX
    RN: group membership
    
    Fixes: https://pagure.io/freeipa/issue/3226
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
file modified
+75 -20
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.