[sudo-users] LDAP Group Evaluation order

[Paul Cantle]

Hi,

Following up:

It would appear I need the sudoOrder attribute to be populated which will allow manipulation of the rule processing order. However, I’m not sure my Window system will support that.

I’ll keep digging or see if there’s another way.

Rgds

Paul


From: Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>>
Date: Monday, 2 November 2015 at 19:09
To: "sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>" <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: LDAP Group Evaluation order

Hi all,

Apologies if this has been answered previously.

I’m using SSSD to source my Sudo groups from LDAP (Active Directory in my case).

Is there any way to control (when a user is a member of 2 groups), which one is sourced first? I’m guessing it uses “least privileged” by default, but for some users or groups, I don’t necessarily want this.

For example.

User joe is a member of SSSD Role: System_Admins. Within this role is %wheel. The %wheel group gets ALL with !authenticate (This all works fine)

If I add joe to another SSSD Role: DB_Server_Admins (Let’s say he has to be in this role due to nested grouping and Role Based Access Control). Within this role is %dbadmins. The %dbadmins group also gets ALL on this particular server but has to authenticate.

When joe runs any sudo command now, it asks him for a password (and ignores the !authenticate from his %wheel group membership).

Output of sudo -ll

User joe may run the following commands on this host:

SSSD Role: DB_Server_Admins
    RunAsUsers: ALL
    Commands:
        ALL

SSSD Role: System_Admins
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        ALL


Is there anyway to specify for joe or for %wheel that even if joe is a member of another group, ensure that his %wheel group privs are the ones used and not any other groups?

Thanks

Paul