[sudo-users] LDAP Group Evaluation order
Paul Cantle
paul at cantle.me
Fri Jan 8 17:10:11 MST 2016
Hi All,
In case anyone is interested, a bug in SSSD prevented sudoOrder from working correctly – bugzilla.redhat.com ID 1138576 (actually a duplicate of 1232950).
However (although I’m unable to see it), the bug in SSSD seems to be fixed in version 1.13.0 and now sudoOrder works correctly.
Rgds
Paul
From: Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>>
Date: Monday, 2 November 2015 at 22:02
To: "sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>" <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: Re: LDAP Group Evaluation order
Hi,
Following up:
It would appear I need the sudoOrder attribute to be populated which will allow manipulation of the rule processing order. However, I’m not sure my Window system will support that.
I’ll keep digging or see if there’s another way.
Rgds
Paul
From: Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>>
Date: Monday, 2 November 2015 at 19:09
To: "sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>" <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: LDAP Group Evaluation order
Hi all,
Apologies if this has been answered previously.
I’m using SSSD to source my Sudo groups from LDAP (Active Directory in my case).
Is there any way to control (when a user is a member of 2 groups), which one is sourced first? I’m guessing it uses “least privileged” by default, but for some users or groups, I don’t necessarily want this.
For example.
User joe is a member of SSSD Role: System_Admins. Within this role is %wheel. The %wheel group gets ALL with !authenticate (This all works fine)
If I add joe to another SSSD Role: DB_Server_Admins (Let’s say he has to be in this role due to nested grouping and Role Based Access Control). Within this role is %dbadmins. The %dbadmins group also gets ALL on this particular server but has to authenticate.
When joe runs any sudo command now, it asks him for a password (and ignores the !authenticate from his %wheel group membership).
Output of sudo -ll
User joe may run the following commands on this host:
SSSD Role: DB_Server_Admins
RunAsUsers: ALL
Commands:
ALL
SSSD Role: System_Admins
RunAsUsers: ALL
Options: !authenticate
Commands:
ALL
Is there anyway to specify for joe or for %wheel that even if joe is a member of another group, ensure that his %wheel group privs are the ones used and not any other groups?
Thanks
Paul
More information about the sudo-users
mailing list