78043bf sudorule runAs: allow to add users and groups from trusted domains directly

1 file Authored by abbra 3 years ago, Committed by rcritten 3 years ago,
    sudorule runAs: allow to add users and groups from trusted domains directly
    
    Allow specifying AD users and groups from trusted Active Directory
    forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of
    commands.
    
    IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP
    attributes to record 'external' objects referenced in SUDO rules for
    specifying the target user and group to run the commands allowed in the
    SUDO rule.
    
    Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup'
    family of commands and rely on member type validators from 'idviews'
    plugin to resolve trusted objects.
    
    Referencing fully qualified names for users and groups from trusted
    Active Directory domains in IPA SUDOERs schema attributes is supported
    in SSSD 2.4 or later.
    
    RN: IPA now supports users and groups from trusted Active Directory
    RN: domains in SUDO rules to specify runAsUser/runAsGroup properties
    RN: without an intermediate non-POSIX group membership
    
    Fixes: https://pagure.io/freeipa/issue/3226
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    
        
file modified
+77 -57