Issue #1309: sudorunasgroup automatically picks up incorrect value while adding a sudorunasuser. - freeipa

freeipa

#1309 sudorunasgroup automatically picks up incorrect value while adding a sudorunasuser.

Closed: Fixed None Opened 12 years ago by rcritten.

https://bugzilla.redhat.com/show_bug.cgi?id=711786

# ipa user-add testuser
First name: test
Last name: user
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/testuser
  GECOS field: testuser
  Login shell: /bin/sh
  Kerberos principal: testuser@LAB.ENG.PNQ.REDHAT.COM
  UID: 1866400014

# ipa sudorule-add-runasuser sudorule3 --users=testuser
  Rule name: sudorule3
  Enabled: TRUE
  Users: shanks
  Groups: group1
  Hosts: mudflap.lab.eng.pnq.redhat.com
  Sudo Allow Commands: /bin/ls, /bin/df, /bin/ln, /bin/pwd, /bin/hostname
  Sudo Command Groups: basic cmd
  Run As User: testuser
-------------------------
Number of members added 1
-------------------------

In DS:

dn: cn=sudorule3,ou=sudoers,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: sudoRole
objectClass: extensibleObject
objectClass: top
[...]
sudorunasuser: testuser
sudorunasgroup: test user    <<<<<<<<
cn: sudorule3

And in client:

-sh-4.1$ sudo -l
[...]
[sudo] password for shanks: 
sudo: ldap search
'(|(sudoUser=shanks)(sudoUser=%shanks)(sudoUser=%ipausers)(sudoUser=%group1)(sudoUser=ALL))'
sudo: ldap sudoHost 'mudflap.lab.eng.pnq.redhat.com' ... MATCH!
sudo: ldap search 'sudoUser=+*'
User shanks may run the following commands on this host:
    (test1, test3, test2, test4, testuser : test user) /bin/ls, /bin/df,
/bin/ln, /bin/pwd, /bin/hostname

While adding a sudorunasuser, its corresponding sudorunasgroup get added automatically. "sudorunasgroup: test user" in this case.

"test user" gets displayed as a runasgroup on the ldap and client

jraquino commented 12 years ago

After closer inspection, it appears as though we are also missing important sudo attributes in our native sudo schema:
The following attribute types are absent

attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )