Discussion:
Sudo configuration question
(too old to reply)
Erinn Looney-Triggs
2011-12-20 21:59:45 UTC
Permalink
I have been working through configuring sudo via IPA and ran into the
following situation.

There is a directive in the documentation to configure
/etc/sssd/sssd.conf on the clients with something like the following:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com


This is pulled from the docse here for reference:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html

This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?

Any ideas?

-Erinn
Jan Zelený
2011-12-21 07:27:54 UTC
Permalink
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_
Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Support for SUDO in SSSD has been added just about a week ago into master
branch and is considered experimental right now. And as I understand it, the
support in SUDO itself is still not entirely complete. So the simple answer
is: hang on, the support is coming.

Jan
Erinn Looney-Triggs
2011-12-21 08:28:46 UTC
Permalink
Post by Jan Zelený
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_
Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Support for SUDO in SSSD has been added just about a week ago into master
branch and is considered experimental right now. And as I understand it, the
support in SUDO itself is still not entirely complete. So the simple answer
is: hang on, the support is coming.
Jan
Hmm, that is odd. I am not trying to be on the bleeding edge here, my
sudo setup is taken directly from the RHEL 6.2 documentation concerning
identity management. It would be very strange if RHEL was running such
an experimental and bleeding edge thing in the base RHEL setup.

So I guess to back up a bit here, IF sudo were working with SSSD as it
will in the future would the aforementioned directive be the way to make
it work. Understanding of course that for now it doesn't.

-Erinn
Jan Zelený
2011-12-21 09:22:45 UTC
Permalink
Post by Erinn Looney-Triggs
Post by Jan Zelený
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identi
ty_ Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Support for SUDO in SSSD has been added just about a week ago into master
branch and is considered experimental right now. And as I understand it,
the support in SUDO itself is still not entirely complete. So the simple
answer is: hang on, the support is coming.
Jan
Hmm, that is odd. I am not trying to be on the bleeding edge here, my
sudo setup is taken directly from the RHEL 6.2 documentation concerning
identity management. It would be very strange if RHEL was running such
an experimental and bleeding edge thing in the base RHEL setup.
Of course, it's not even in Fedora yet. The documentation link you sent
doesn't refer to SSSD but directly to sudo LDAP plugin which should be working
as described there.
Post by Erinn Looney-Triggs
So I guess to back up a bit here, IF sudo were working with SSSD as it
will in the future would the aforementioned directive be the way to make
it work. Understanding of course that for now it doesn't.
I assume you are referring to the SSSD search base directive. In that case the
correct directive will be ldap_sudo_search_base. There are also 11 more
directives which can be used to configure attribute names of LDAP sudo objects
like ldap_sudorule_name, ldap_sudorule_command, etc.

Some configuration will be also needed for the entire chain to work. For
example sudo responder config section will have to be set up. But let's not
skip ahead, I'm sure everything will be well documented by the time when the
sudo chain is stable.

I hope this answers your question. If you have any more questions please don't
hesitate to ask.

Thanks
Jan
Erinn Looney-Triggs
2011-12-21 09:37:18 UTC
Permalink
Post by Jan Zelený
Post by Erinn Looney-Triggs
Post by Jan Zelený
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identi
ty_ Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Support for SUDO in SSSD has been added just about a week ago into master
branch and is considered experimental right now. And as I understand it,
the support in SUDO itself is still not entirely complete. So the simple
answer is: hang on, the support is coming.
Jan
Hmm, that is odd. I am not trying to be on the bleeding edge here, my
sudo setup is taken directly from the RHEL 6.2 documentation concerning
identity management. It would be very strange if RHEL was running such
an experimental and bleeding edge thing in the base RHEL setup.
Of course, it's not even in Fedora yet. The documentation link you sent
doesn't refer to SSSD but directly to sudo LDAP plugin which should be working
as described there.
Post by Erinn Looney-Triggs
So I guess to back up a bit here, IF sudo were working with SSSD as it
will in the future would the aforementioned directive be the way to make
it work. Understanding of course that for now it doesn't.
I assume you are referring to the SSSD search base directive. In that case the
correct directive will be ldap_sudo_search_base. There are also 11 more
directives which can be used to configure attribute names of LDAP sudo objects
like ldap_sudorule_name, ldap_sudorule_command, etc.
Some configuration will be also needed for the entire chain to work. For
example sudo responder config section will have to be set up. But let's not
skip ahead, I'm sure everything will be well documented by the time when the
sudo chain is stable.
I hope this answers your question. If you have any more questions please don't
hesitate to ask.
Thanks
Jan
Ok thanks. I think we are talking about two slightly different things
here. I am just trying to figure out why that directive is supposed to
be in sssd.conf (according to the docs) and why sudo continues to
function with the IPA server if that directive is not in sssd.conf.

-Erinn
Jan Zelený
2011-12-21 09:50:17 UTC
Permalink
Post by Erinn Looney-Triggs
Post by Jan Zelený
Post by Erinn Looney-Triggs
Post by Jan Zelený
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Iden
ti ty_ Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left
it out on a few systems, sudo continued to function, so I am
wondering what it is that this directive does? Does this get sssd
into the loop to cache sudo rules for offline use?
Support for SUDO in SSSD has been added just about a week ago into
master branch and is considered experimental right now. And as I
understand it, the support in SUDO itself is still not entirely
complete. So the simple answer is: hang on, the support is coming.
Jan
Hmm, that is odd. I am not trying to be on the bleeding edge here, my
sudo setup is taken directly from the RHEL 6.2 documentation concerning
identity management. It would be very strange if RHEL was running such
an experimental and bleeding edge thing in the base RHEL setup.
Of course, it's not even in Fedora yet. The documentation link you sent
doesn't refer to SSSD but directly to sudo LDAP plugin which should be
working as described there.
Post by Erinn Looney-Triggs
So I guess to back up a bit here, IF sudo were working with SSSD as it
will in the future would the aforementioned directive be the way to make
it work. Understanding of course that for now it doesn't.
I assume you are referring to the SSSD search base directive. In that
case the correct directive will be ldap_sudo_search_base. There are also
11 more directives which can be used to configure attribute names of
LDAP sudo objects like ldap_sudorule_name, ldap_sudorule_command, etc.
Some configuration will be also needed for the entire chain to work. For
example sudo responder config section will have to be set up. But let's
not skip ahead, I'm sure everything will be well documented by the time
when the sudo chain is stable.
I hope this answers your question. If you have any more questions please
don't hesitate to ask.
Thanks
Jan
Ok thanks. I think we are talking about two slightly different things
here. I am just trying to figure out why that directive is supposed to
be in sssd.conf (according to the docs) and why sudo continues to
function with the IPA server if that directive is not in sssd.conf.
It's there because sudo rules can be based, among other things, on netgroups
and users' memberships in them. Therefore what happens with that configuration
is that sudo LDAP plugin asks for sudo objects, but SSSD is used to retreive
information about netgroups and maybe also about common users/groups (I'm not
completely sure about that since I haven't check the documentation
thoroughly).

I hope the whole thing is a bit more clear to you now

Thanks
Jan
Jakub Hrozek
2011-12-21 10:39:13 UTC
Permalink
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Any ideas?
-Erinn
When sudo performs a lookup it does so in two iterations:
1) Try to find a matching rule using ALL, username or any of group names
2) if 1) does not match, search for all netgroups and look if user
is a member of a netgroup with innetgr()

so I assume that your sudo lookups matched with the first iteration and
never actually needed to look up netgroup data.
Stephen Gallagher
2011-12-21 13:37:44 UTC
Permalink
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Any ideas?
Sorry for the confusion in the other responses to this thread. The short
answer is this: SUDO can use LDAP rules (as you clearly know). It does
this with its own internal LDAP lookup (it doesn't currently go through
SSSD to accomplish this).

However, SUDO rules can specify netgroups as part of their restrictions
on who can do what (usually these are used to limit functions to certain
hosts). In order to do this, SSSD needs to be configured to look up
netgroups properly so that SUDO can use the 'getnetgrent()' glibc
command to locate the netgroups.

The doc you are looking at is actually a bit out of date. It's no longer
necessary to provide that option, because if it's unspecified, we set it
automatically to cn=ng,cn=compat,dc=example,dc=com (using the
appropriate base, of course).

Jan's comments about upstream work were that we recently made changes to
avoid needing to use the compat tree for netgroup lookups and can
instead use FreeIPA's native, custom schema for netgroups. That's not
terribly relevant to you, but it's a useful piece of information.

So, in short, you don't need to set it, the doc is outdated.
Jan Zelený
2011-12-21 13:58:30 UTC
Permalink
Post by Stephen Gallagher
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identit
y_Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Any ideas?
Sorry for the confusion in the other responses to this thread. The short
answer is this: SUDO can use LDAP rules (as you clearly know). It does
this with its own internal LDAP lookup (it doesn't currently go through
SSSD to accomplish this).
However, SUDO rules can specify netgroups as part of their restrictions
on who can do what (usually these are used to limit functions to certain
hosts). In order to do this, SSSD needs to be configured to look up
netgroups properly so that SUDO can use the 'getnetgrent()' glibc
command to locate the netgroups.
The doc you are looking at is actually a bit out of date. It's no longer
necessary to provide that option, because if it's unspecified, we set it
automatically to cn=ng,cn=compat,dc=example,dc=com (using the
appropriate base, of course).
Jan's comments about upstream work were that we recently made changes to
avoid needing to use the compat tree for netgroup lookups and can
instead use FreeIPA's native, custom schema for netgroups. That's not
terribly relevant to you, but it's a useful piece of information.
Actually no, my comment was a reaction to the original question if the SSSD
can get into loop to cache sudo rules for offline use.
Post by Stephen Gallagher
So, in short, you don't need to set it, the doc is outdated.
Jan
Erinn Looney-Triggs
2011-12-21 18:08:55 UTC
Permalink
Post by Stephen Gallagher
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Any ideas?
Sorry for the confusion in the other responses to this thread. The short
answer is this: SUDO can use LDAP rules (as you clearly know). It does
this with its own internal LDAP lookup (it doesn't currently go through
SSSD to accomplish this).
However, SUDO rules can specify netgroups as part of their restrictions
on who can do what (usually these are used to limit functions to certain
hosts). In order to do this, SSSD needs to be configured to look up
netgroups properly so that SUDO can use the 'getnetgrent()' glibc
command to locate the netgroups.
The doc you are looking at is actually a bit out of date. It's no longer
necessary to provide that option, because if it's unspecified, we set it
automatically to cn=ng,cn=compat,dc=example,dc=com (using the
appropriate base, of course).
Jan's comments about upstream work were that we recently made changes to
avoid needing to use the compat tree for netgroup lookups and can
instead use FreeIPA's native, custom schema for netgroups. That's not
terribly relevant to you, but it's a useful piece of information.
So, in short, you don't need to set it, the doc is outdated.
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Ok thanks, that makes sense. One final question here, is there a way to
verify that sssd is in fact setting this properly? Not that I doubt you
of course, it is just a matter of so many versions of sssd in so many
places that it would be good to verify that it works automagically on
RHEL 5, 6, and whatever else, say Ubuntu etc.

-Erinn
Stephen Gallagher
2011-12-21 18:14:58 UTC
Permalink
Post by Erinn Looney-Triggs
Post by Stephen Gallagher
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Any ideas?
Sorry for the confusion in the other responses to this thread. The short
answer is this: SUDO can use LDAP rules (as you clearly know). It does
this with its own internal LDAP lookup (it doesn't currently go through
SSSD to accomplish this).
However, SUDO rules can specify netgroups as part of their restrictions
on who can do what (usually these are used to limit functions to certain
hosts). In order to do this, SSSD needs to be configured to look up
netgroups properly so that SUDO can use the 'getnetgrent()' glibc
command to locate the netgroups.
The doc you are looking at is actually a bit out of date. It's no longer
necessary to provide that option, because if it's unspecified, we set it
automatically to cn=ng,cn=compat,dc=example,dc=com (using the
appropriate base, of course).
Jan's comments about upstream work were that we recently made changes to
avoid needing to use the compat tree for netgroup lookups and can
instead use FreeIPA's native, custom schema for netgroups. That's not
terribly relevant to you, but it's a useful piece of information.
So, in short, you don't need to set it, the doc is outdated.
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Ok thanks, that makes sense. One final question here, is there a way
to verify that sssd is in fact setting this properly? Not that I doubt
you of course, it is just a matter of so many versions of sssd in so
many places that it would be good to verify that it works
automagically on RHEL 5, 6, and whatever else, say Ubuntu etc.
-Erinn
You can set 'debug_level = 6' in [domain/<DOMAINNAME>] of sssd.conf and
restart. If you look in the sssd_<DOMAINNAME>.log, you should see a line
setting the ldap_netgroup_search_base option.
Erinn Looney-Triggs
2011-12-21 18:40:07 UTC
Permalink
Post by Stephen Gallagher
Post by Erinn Looney-Triggs
Post by Stephen Gallagher
Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
Post by Stephen Gallagher
Post by Erinn Looney-Triggs
Post by Stephen Gallagher
Post by Erinn Looney-Triggs
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Any ideas?
Sorry for the confusion in the other responses to this thread. The short
answer is this: SUDO can use LDAP rules (as you clearly know). It does
this with its own internal LDAP lookup (it doesn't currently go through
SSSD to accomplish this).
However, SUDO rules can specify netgroups as part of their restrictions
on who can do what (usually these are used to limit functions to certain
hosts). In order to do this, SSSD needs to be configured to look up
netgroups properly so that SUDO can use the 'getnetgrent()' glibc
command to locate the netgroups.
The doc you are looking at is actually a bit out of date. It's no longer
necessary to provide that option, because if it's unspecified, we set it
automatically to cn=ng,cn=compat,dc=example,dc=com (using the
appropriate base, of course).
Jan's comments about upstream work were that we recently made changes to
avoid needing to use the compat tree for netgroup lookups and can
instead use FreeIPA's native, custom schema for netgroups. That's not
terribly relevant to you, but it's a useful piece of information.
So, in short, you don't need to set it, the doc is outdated.
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Ok thanks, that makes sense. One final question here, is there a way
to verify that sssd is in fact setting this properly? Not that I doubt
you of course, it is just a matter of so many versions of sssd in so
many places that it would be good to verify that it works
automagically on RHEL 5, 6, and whatever else, say Ubuntu etc.
-Erinn
You can set 'debug_level = 6' in [domain/<DOMAINNAME>] of sssd.conf and
restart. If you look in the sssd_<DOMAINNAME>.log, you should see a line
setting the ldap_netgroup_search_base option.
Great, thank you so much for your time. I really appreciate it.

- -Erinn

Loading...