https://bugzilla.redhat.com/show_bug.cgi?id=871208 (Red Hat Enterprise Linux 6)
Description of problem: ipa sudorule-add-user restricts users names to a limited variety of characters. At the very least @ and \ should be included to cover username conventions used for AD trusted users. When I try now, I see this: [root@rhel6-1 failure1]# ipa sudorule-add-user testrule --users=adtestuser1@adtestdom.com ipa: ERROR: invalid 'user': may only include letters, numbers, _, -, . and $ In addition Simo mentioned in an email: We should allow any character in this case. These are external user/group names, we do not have any control on them. If I want to add the user ?test@foo^^bar in /etc/passwd then I should be allowed to use it in a sudo rule Version-Release number of selected component (if applicable): ipa-server-3.0.0-106.20121026T1837zgitf14dd98.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup IPA Master 2. ipa sudorule-add testrule 3. ipa sudorule-add-user --users=test@domain.com Actual results: error listed above Expected results: success Additional info:
After Sumit brought up a good point, I'm modifying this request.
Instead of modifying --users option functionality, I'd like to request a new --external (or similar) option. This will allow a distinction between adding IPA users and External ones coming from other sources like AD.
I'd think we'd keep the option similar to the group-add one used when adding AD groups/users to a group in IPA.
Changing 3.2 priority
Releasing tickets from distant milestones.
IPA already distinguishes between home IPA users and external users, no new option was added. The validation is still strict though:
# ipa sudorule-add-user test --users "external@ad.domain.test" ipa: ERROR: invalid 'user': may only include letters, numbers, _, -, . and $ # ipa sudorule-add-user test --users "external" Rule name: test Enabled: TRUE Host category: all External User: foouser, external Sudo Allow Commands: /usr/bin/yum, /bin/mv ------------------------- Number of members added 1 -------------------------
This looks as a basic use case for SUDO, lets move it to earlier release.
Related discussion with advise: http://www.redhat.com/archives/freeipa-devel/2015-May/msg00499.html
FreeIPA 4.2.1 was released, moving to 4.2.x.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Raven grooming:
Metadata Update from @abbra: - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
PR: https://github.com/freeipa/freeipa/pull/4792
Metadata Update from @abbra: - Issue assigned to abbra (was: someone) - Issue set to the milestone: FreeIPA 4.9 - Issue tagged with: trust
master:
ipa-4-9:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.