[sudo-workers] Support for SSSD as a data source

Pavel Březina pbrezina at redhat.com
Fri Aug 10 07:27:03 EDT 2012

On 08/10/2012 12:14 PM, Pavel Březina wrote:
> Hello,
> I'm one of the developers of SSSD [1]. I've been working with Daniel
> Kopeček on integrating sudo with SSSD for past several months and now
> it's in the form that is ready for deployment. It is already a part of
> Fedora 17, and the current enhanced version will be part of Fedora 18
> and RHEL 6.4. We would like to bring our patches to upstream sudo as
> well so more distributions can easily benefit from this feature.
> I'm sending the patches in attachment.

Apparently, the list is removing attachments. The patches can be
obtained here: http://fedorapeople.org/~pbrezina/sudo/patches.tgz

> It adds a new nsswitch.conf data source called "sss", which when
> present enables SSSD support which works pretty much the same way the
> "ldap" source does.
> Originally, we wanted to create our own plugin via the plugin API you
> have introduced in sudo 1.8. Unfortunately we didn't find a reasonable
> way how to reuse the evaluation logic from sudoers plugin.
> Thus we chose to add our own data source to the sudoers plugin
> and linked directly between sudo and the SSSD. However, that added a
> direct dependency between sudo and SSSD, which raises the maintenance
> costs significantly. So we modified it to avoid linking against our
> library and use dlopen() instead. We know that this is a very hackish
> solution, but it was the best we could do without touching a huge part
> of sudo source codes.
> We kindly ask you to consider making these patches a part of sudo
> upstream. We are ready to discuss any objections and eventually help
> you with suggested modifications.
> Regards,
> Pavel Březina.
> [1] https://fedorahosted.org/sssd

More information about the sudo-workers mailing list