Hi all, how does sssd process multiple sudo rules from an OU search base? I have my base pointed at an OU where I have one sudo rule applied, and that works, but have another farther down. I can see in the logs that it sees both rules. What I can't find is how sssd handles that? does it merge the rules? How does it handle conflicts? Does computer object location matter like it does for group policies?
Todd
On Thu, Feb 18, 2016 at 06:37:16PM +0000, Mote, Todd wrote:
Hi all, how does sssd process multiple sudo rules from an OU search base? I have my base pointed at an OU where I have one sudo rule applied, and that works, but have another farther down. I can see in the logs that it sees both rules. What I can't find is how sssd handles that? does it merge the rules? How does it handle conflicts? Does computer object location matter like it does for group policies?
the sudo rules are evaluated by sudo itself, you can see that in the sudo logs, see: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO If you have conflicts and want to solve them, you can use the sudoOrder attribute.
On 02/18/2016 07:37 PM, Mote, Todd wrote:
Hi all, how does sssd process multiple sudo rules from an OU search base? I have my base pointed at an OU where I have one sudo rule applied, and that works, but have another farther down. I can see in the logs that it sees both rules. What I can’t find is how sssd handles that? does it merge the rules?
If cn is the same I'd rather say that the behaviour is undefined - we don't deal with conflicts. If the cn are different that it should be fine.
How does it handle conflicts? Does
computer object location matter like it does for group policies?
sudo itself doesn't know about computer objects, it uses just hostnames.
sssd-users@lists.fedorahosted.org