[sudo-users] LDAP Group Evaluation order
paul at cantle.me
Mon Nov 2 15:02:31 MST 2015
It would appear I need the sudoOrder attribute to be populated which will allow manipulation of the rule processing order. However, I’m not sure my Window system will support that.
I’ll keep digging or see if there’s another way.
From: Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>>
Date: Monday, 2 November 2015 at 19:09
To: "sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>" <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: LDAP Group Evaluation order
Apologies if this has been answered previously.
I’m using SSSD to source my Sudo groups from LDAP (Active Directory in my case).
Is there any way to control (when a user is a member of 2 groups), which one is sourced first? I’m guessing it uses “least privileged” by default, but for some users or groups, I don’t necessarily want this.
User joe is a member of SSSD Role: System_Admins. Within this role is %wheel. The %wheel group gets ALL with !authenticate (This all works fine)
If I add joe to another SSSD Role: DB_Server_Admins (Let’s say he has to be in this role due to nested grouping and Role Based Access Control). Within this role is %dbadmins. The %dbadmins group also gets ALL on this particular server but has to authenticate.
When joe runs any sudo command now, it asks him for a password (and ignores the !authenticate from his %wheel group membership).
Output of sudo -ll
User joe may run the following commands on this host:
SSSD Role: DB_Server_Admins
SSSD Role: System_Admins
Is there anyway to specify for joe or for %wheel that even if joe is a member of another group, ensure that his %wheel group privs are the ones used and not any other groups?
More information about the sudo-users