[sudo-users] LDAP Group Evaluation order

Paul Cantle paul at cantle.me
Fri Jan 8 17:10:11 MST 2016


Hi All,

In case anyone is interested, a bug in SSSD prevented sudoOrder from working correctly – bugzilla.redhat.com ID 1138576 (actually a duplicate of 1232950).

However (although I’m unable to see it),  the bug in SSSD seems to be fixed in version 1.13.0 and now sudoOrder works correctly.

Rgds

Paul


From: Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>>
Date: Monday, 2 November 2015 at 22:02
To: "sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>" <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: Re: LDAP Group Evaluation order

Hi,

Following up:

It would appear I need the sudoOrder attribute to be populated which will allow manipulation of the rule processing order. However, I’m not sure my Window system will support that.

I’ll keep digging or see if there’s another way.

Rgds

Paul


From: Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>>
Date: Monday, 2 November 2015 at 19:09
To: "sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>" <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: LDAP Group Evaluation order

Hi all,

Apologies if this has been answered previously.

I’m using SSSD to source my Sudo groups from LDAP (Active Directory in my case).

Is there any way to control (when a user is a member of 2 groups), which one is sourced first? I’m guessing it uses “least privileged” by default, but for some users or groups, I don’t necessarily want this.

For example.

User joe is a member of SSSD Role: System_Admins. Within this role is %wheel. The %wheel group gets ALL with !authenticate (This all works fine)

If I add joe to another SSSD Role: DB_Server_Admins (Let’s say he has to be in this role due to nested grouping and Role Based Access Control). Within this role is %dbadmins. The %dbadmins group also gets ALL on this particular server but has to authenticate.

When joe runs any sudo command now, it asks him for a password (and ignores the !authenticate from his %wheel group membership).

Output of sudo -ll

User joe may run the following commands on this host:

SSSD Role: DB_Server_Admins
    RunAsUsers: ALL
    Commands:
        ALL

SSSD Role: System_Admins
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        ALL


Is there anyway to specify for joe or for %wheel that even if joe is a member of another group, ensure that his %wheel group privs are the ones used and not any other groups?

Thanks

Paul



More information about the sudo-users mailing list