HI!
I can see substring filters like this in my LDAP logs:
[..] (|(sudoHost=*\5C*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))
(stripped the lenghty filter)
Is this sssd asking for sudoRole entries?
Ciao, Michael.
On Thu, 17 Apr 2014 12:44:57 +0200 "Michael Ströder" michael@stroeder.com wrote
I can see substring filters like this in my LDAP logs:
[..] (|(sudoHost=*\5C*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))
(stripped the lenghty filter)
Is this sssd asking for sudoRole entries?
Hmm, clarified with the sysadmin to use:
ldap_sudo_use_host_filter = false
IMHO this should be the default because substring searches like above are really stupid.
Ciao, Michael.
On Thu, Apr 17, 2014 at 02:22:18PM +0200, Michael Ströder wrote:
On Thu, 17 Apr 2014 12:44:57 +0200 "Michael Ströder" michael@stroeder.com wrote
I can see substring filters like this in my LDAP logs:
[..] (|(sudoHost=*\5C*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))
(stripped the lenghty filter)
Is this sssd asking for sudoRole entries?
Hmm, clarified with the sysadmin to use:
ldap_sudo_use_host_filter = false
IMHO this should be the default because substring searches like above are really stupid.
Ciao, Michael.
Did you sanitize the filter before sending it to the list? I would have expected the filter to include your machine's host name..
And no, it's not stupid, the intent is to download only rules that apply to the particular machine.
Jakub Hrozek wrote:
On Thu, Apr 17, 2014 at 02:22:18PM +0200, Michael Ströder wrote:
On Thu, 17 Apr 2014 12:44:57 +0200 "Michael Ströder" michael@stroeder.com wrote
I can see substring filters like this in my LDAP logs:
[..] (|(sudoHost=*\5C*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))
(stripped the lenghty filter)
Is this sssd asking for sudoRole entries?
Hmm, clarified with the sysadmin to use:
ldap_sudo_use_host_filter = false
IMHO this should be the default because substring searches like above are really stupid.
Did you sanitize the filter before sending it to the list? I would have expected the filter to include your machine's host name..
Yes, it was shortened - indicated above by [..].
And no, it's not stupid, the intent is to download only rules that apply to the particular machine.
Ok, let's look at the complete filter as multi-line representation (replaced real names and addresses):
(& (& (objectClass=sudoRole) (modifyTimestamp>=20140217143850Z) (!(modifyTimestamp=20140217143850Z)) ) (| (!(sudoHost=*)) (sudoHost=ALL) (sudoHost=foo) (sudoHost=foo.example.com) (sudoHost=192.168.42.220) (sudoHost=192.168.42.0/24) (sudoHost=+*) (| (sudoHost=*\5C*) (sudoHost=*?*) (sudoHost=*\2A*) (sudoHost=*[*]*) ) ) )
No problem with the exact searches if you have an eq-index for 'sudoHost'.
But the substring searches are using less than 3 chars. Therefore even with a sub-index on 'sudoHost' this would never be used. Ok, in this case above the eq-indexing on 'objectClass' and ordering-indexing on 'modifyTimestamp' reduces the number of search candidates.
=> I'd strongly vote for this default:
ldap_sudo_use_host_filter = false
In my case I will disable SUBSTR matching rule for 'sudoHost' on the LDAP server since it's of no use in my setup.
Ciao, Michael.
sssd-users@lists.fedorahosted.org