HI List,
I am able to do the following
Environment: windows 2012 AD CentOS 6
1. Authenticate users based on group 2. users are able to sudo
My Question:
Suppose I want to create multiple sudo groups, say two sudo groups.
1. one group has has access to use commands fdisk,chmod 2. Another group has access use su command
Is it possible to differentiate users to restrict sudo access ? Please help me here to resolve this issue.
Regards Jagannath Naidu
On Wed, Aug 03, 2016 at 04:20:59PM +0530, Jagannath Naidu wrote:
HI List,
I am able to do the following
Environment: windows 2012 AD CentOS 6
- Authenticate users based on group
- users are able to sudo
My Question:
Suppose I want to create multiple sudo groups, say two sudo groups.
- one group has has access to use commands fdisk,chmod
- Another group has access use su command
Is it possible to differentiate users to restrict sudo access ?
Restrict how?
Please help me here to resolve this issue.
Users in one group would be to call fdisk and chmod, users in another group would be able to call su. Users in both would be able to call both.
Thank you for quick response
On Wed, Aug 3, 2016 at 4:57 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Aug 03, 2016 at 04:20:59PM +0530, Jagannath Naidu wrote:
HI List,
I am able to do the following
Environment: windows 2012 AD CentOS 6
- Authenticate users based on group
- users are able to sudo
My Question:
Suppose I want to create multiple sudo groups, say two sudo groups.
- one group has has access to use commands fdisk,chmod
- Another group has access use su command
Is it possible to differentiate users to restrict sudo access ?
Restrict how?
Say one group can use basic admin user commands like fdisk,chmod,chown and one group can use super admin user commands like su,bash
In sssd.conf we add following sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=test,dc=in
But is it not serving for multiple sudo groups Say we have two groups in AD cn=basic-admin,ou=sudoers,dc=test,dc=in cn=super-admin,ou=sudoers,dc=test,dc=in
Note: Users are able ssh to the system because in sssd.conf I have
ldap_access_order = filter ldap_access_filter = (&(objectClass=user)(memberOf=CN=Allowed,DC=test,DC=in))
Please help me here to resolve this issue.
Users in one group would be to call fdisk and chmod, users in another group would be able to call su. Users in both would be able to call both. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, Aug 03, 2016 at 07:09:01PM +0530, Jagannath Naidu wrote:
Thank you for quick response
On Wed, Aug 3, 2016 at 4:57 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Aug 03, 2016 at 04:20:59PM +0530, Jagannath Naidu wrote:
HI List,
I am able to do the following
Environment: windows 2012 AD CentOS 6
- Authenticate users based on group
- users are able to sudo
My Question:
Suppose I want to create multiple sudo groups, say two sudo groups.
- one group has has access to use commands fdisk,chmod
- Another group has access use su command
Is it possible to differentiate users to restrict sudo access ?
Restrict how?
Say one group can use basic admin user commands like fdisk,chmod,chown and one group can use super admin user commands like su,bash
Well, then does it help to put different users into different groups?
In sssd.conf we add following sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=test,dc=in
But is it not serving for multiple sudo groups Say we have two groups in AD cn=basic-admin,ou=sudoers,dc=test,dc=in cn=super-admin,ou=sudoers,dc=test,dc=in
If the users are in both groups, they should have the superset of the rules. (Please note a user must log out for their group membership to change)
Note: Users are able ssh to the system because in sssd.conf I have
ldap_access_order = filter ldap_access_filter = (&(objectClass=user)(memberOf=CN=Allowed,DC=test,DC=in))
Please help me here to resolve this issue.
Users in one group would be to call fdisk and chmod, users in another group would be able to call su. Users in both would be able to call both. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org