Hi,
the sssd's code that fetches sudo rules from the IPA server got an overhaul recently. The search would no longer be performed against the compat tree, but against IPA's native LDAP tree. This would have the advantage that environments that don't use the slapi-nis' compat tree for another reason (like old or non-Linux clients) would no longer require slapi-nis to be running at all.
We'd like to get some tests for this new code! If you're running Fedora , you can just upgrade to the packages from Fedora's update testing. If you're running RHEL-6.7 and would like to see what is cooking for 6.8, you can try this repository: https://copr.fedorainfracloud.org/coprs/jhrozek/SSSD-6.8-preview/
RHEL-7 wouldn't receive this code until 7.3, so we don't have test packages for el7 yet..
On (27/01/16 16:21), Jakub Hrozek wrote:
Hi,
the sssd's code that fetches sudo rules from the IPA server got an overhaul recently. The search would no longer be performed against the compat tree, but against IPA's native LDAP tree. This would have the advantage that environments that don't use the slapi-nis' compat tree for another reason (like old or non-Linux clients) would no longer require slapi-nis to be running at all.
We'd like to get some tests for this new code! If you're running Fedora , you can just upgrade to the packages from Fedora's update testing. If you're running RHEL-6.7 and would like to see what is cooking for 6.8, you can try this repository: https://copr.fedorainfracloud.org/coprs/jhrozek/SSSD-6.8-preview/
RHEL-7 wouldn't receive this code until 7.3, so we don't have test packages for el7 yet..
Actually, there are packages suitable for testing on rhel7.2 https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ It's backported version from fedora 23.
LS
Jakub Hrozek wrote:
the sssd's code that fetches sudo rules from the IPA server got an overhaul recently. The search would no longer be performed against the compat tree, but against IPA's native LDAP tree. This would have the advantage that environments that don't use the slapi-nis' compat tree for another reason (like old or non-Linux clients) would no longer require slapi-nis to be running at all.
Frankly I don't understand this text. Especially I don't know what the terms "compat tree" and "IPA's native LDAP tree" really mean.
Does this only affect the IPA provider?
Ciao, Michael.
-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com
On Sun, Jan 31, 2016 at 09:58:40PM +0100, Michael Ströder wrote:
Jakub Hrozek wrote:
the sssd's code that fetches sudo rules from the IPA server got an overhaul recently. The search would no longer be performed against the compat tree, but against IPA's native LDAP tree. This would have the advantage that environments that don't use the slapi-nis' compat tree for another reason (like old or non-Linux clients) would no longer require slapi-nis to be running at all.
Frankly I don't understand this text. Especially I don't know what the terms "compat tree" and "IPA's native LDAP tree" really mean.
I'm sorry, I will try to rephrase.
If you add sudo rules to an IPA server using the "ipa sudorule" commands, the LDAP objects are added to cn=sudorules,cn=sudo,$DC tree in using a schema that is specific to IPA. The rule might look like this one on my test server: dn: ipaUniqueID=c4bba598-9f5b-11e5-8750-525400676811,cn=sudorules,cn=sudo,dc=ipa,dc=test cn: readfiles ipaenabledflag: TRUE externaluser: jsmith ipaUniqueID: c4bba598-9f5b-11e5-8750-525400676811 memberallowcmd: ipaUniqueID=cb15fdc6-9f5b-11e5-b9f5-525400676811,cn=sudocmds,cn=sudo,dc=ipa,dc=test objectClass: ipasudorule objectClass: ipaassociation
However, the client side (both the LDAP connector that is built-in to sudo itself and the SSSD) only understood the schema as defined by http://linux.die.net/man/5/sudoers.ldap
Therefore, there is a another subtree on the IPA server, rooted at ou=sudoers,$DC. This subtree is often called the 'compat' tree, because in was built with non-SSSD clients in mind. The objects are put into the compat tree by the slapi-nis Directory Server plugin. The rule above would be converted to: dn: cn=readfiles,ou=sudoers,dc=ipa,dc=test sudoUser: jsmith objectClass: sudoRole objectClass: top sudoCommand: /usr/bin/less cn: readfiles
However, this auto-generation does not come for free and in some environments, the slapi-nis plugin was causing substantial load on the server side. So we added code to the sssd's ipa_provider to handle the objects stored at cn=sudorules,cn=sudo,$DC so that the slapi-nis plugin can be disabled.
The functionality of the ipa's sudo_provider should stay the same, it's just that it's now able to process a different schema and this change allows the admin to disable the slapi-nis plugin (unless they need another piece of its functionality, which is translating the user and group objects into rfc2307 schema for legacy clients..)
Does this only affect the IPA provider?
Yes.
sssd-users@lists.fedorahosted.org