Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 912673
Description of problem: "ipaEnabledFlag" ldap attribute is not set for IPA Sudo Rule and consequently disabled sudo rule does not works. Version-Release number of selected component (if applicable): SSSD and IPA-Server version: ---------------------------- [root@rhel64master ~]# rpm -q sssd ipa-server sssd-1.9.2-82.el6.x86_64 ipa-server-3.0.0-26.el6_4.x86_64 [root@rhel64master ~]# How reproducible: Always Steps to Reproduce: 1.Add a sudorule [root@rhel64master ~]# ipa sudorule-show sudorule1 Rule name: sudorule1 Enabled: TRUE Users: tuser1 Hosts: rhel64client1.testrelm.com Sudo Allow Commands: /bin/date Sudo Deny Commands: /bin/uname RunAs Users: tuser2 Groups of RunAs Users: localadmins RunAs Groups: localadmins [root@rhel64master ~]# 2.Perform ldapsearch for the above added sudorule and look for ipaEnabledFlag attribute Actual results: ldapsearch does not shows the "ipaEnabledFlag" attribute [root@rhel64master ~]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=sudorule1,ou=sudoers,dc=testrelm,dc=com # extended LDIF # # LDAPv3 # base <cn=sudorule1,ou=sudoers,dc=testrelm,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # sudorule1, sudoers, testrelm.com dn: cn=sudorule1,ou=sudoers,dc=testrelm,dc=com objectClass: sudoRole sudoUser: tuser1 sudoHost: rhel64client1.testrelm.com sudoCommand: /bin/date sudoCommand: !/bin/uname sudoRunAsUser: tuser2 sudoRunAsUser: %localadmins sudoRunAsGroup: localadmins cn: sudorule1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@rhel64master ~]# Expected results: "ipaEnabledFlag" ldap attribute should be added for IPA Sudo Rule, so the Disabled sudoRule functionality can work.
The problem here is that setting ipaEnabledFlag to False does not trigger deletion of the sudorule in the compat tree (ou=sudoers,$SUFFIX). It just filters the rule out of Schema Compatibility Plugin and leaves it in the compat tree until Schema Compatibility Plugin reloads the whole tree (like when 389-ds is restarted).
ipaEnabledFlag
ou=sudoers,$SUFFIX
This is current Schema Compatibility Plugin configuration:
# sudoers, Schema Compatibility, plugins, config dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=sudoRole schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex ternalUser}") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup) ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\ "uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex ternalHost}") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\" fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr y))\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref(\"memberAllowCmd\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member", "sudoCmd") schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser} schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid") schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory", "all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\") ") schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o bjectclass=posixGroup)","cn") cn: sudoers objectClass: top objectClass: extensibleObject schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE ))(!(ipaEnabledFlag=FALSE))) schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=sudorules, cn=sudo, dc=linux,dc=ad,dc=test schema-compat-container-group: ou=SUDOers, dc=linux,dc=ad,dc=test
Can we somehow update the configuration of the Schema Compatibility Plugin or fix the plugin to remove entries in the compat tree when modification of the original entry suddenly renders schema-compat-search-filter result to FALSE?
schema-compat-search-filter
FALSE
Adding Rich to CC.
Triaged to March.
master: 54080f4[[BR]] ipa-3-1: 50e913c
Metadata Update from @dpal: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.