Post by Stephen Gallagher Post by Erinn Looney-Triggs
I have been working through configuring sudo via IPA and ran into the
There is a directive in the documentation to configure
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
This is fine and causes no problems, however, when I mistakenly left it
out on a few systems, sudo continued to function, so I am wondering what
it is that this directive does? Does this get sssd into the loop to
cache sudo rules for offline use?
Sorry for the confusion in the other responses to this thread. The short
answer is this: SUDO can use LDAP rules (as you clearly know). It does
this with its own internal LDAP lookup (it doesn't currently go through
SSSD to accomplish this).
However, SUDO rules can specify netgroups as part of their restrictions
on who can do what (usually these are used to limit functions to certain
hosts). In order to do this, SSSD needs to be configured to look up
netgroups properly so that SUDO can use the 'getnetgrent()' glibc
command to locate the netgroups.
The doc you are looking at is actually a bit out of date. It's no longer
necessary to provide that option, because if it's unspecified, we set it
automatically to cn=ng,cn=compat,dc=example,dc=com (using the
appropriate base, of course).
Jan's comments about upstream work were that we recently made changes to
avoid needing to use the compat tree for netgroup lookups and can
instead use FreeIPA's native, custom schema for netgroups. That's not
terribly relevant to you, but it's a useful piece of information.
So, in short, you don't need to set it, the doc is outdated.
Freeipa-users mailing list
Ok thanks, that makes sense. One final question here, is there a way to
RHEL 5, 6, and whatever else, say Ubuntu etc.