Reputation: 23
nisNetgroupTriple not returned by getent -s sss netgroup
I'm testing openldap as a source for ssh logins and sudo rules using sssd.
So far i can use LDAP to auth (password and key) and sudo based on rules from LDAP.
But i want to be able to use netgroups as well to control where users have access to login to.
When using ALL for the host in the LDAP sudo rule the user can sudo. If i create a nisNetgroup that i will use in the sudo rule then the user cannot sudo.
This is what i have in my sssd conf for netgroups:
sudo_provider = ldap
####-- netgroups
ldap_sudo_include_netgroups = True
ldap_netgroup_search_base = ou=HostGroups,dc=redacted,dc=com
ldap_netgroup_object_class = nisNetgroup
ldap_netgroup_triple = nisNetgroupTriple
i have netgroup: sss in /etc/nsswitch.conf file
My nisNetgroup in LDAP:
dn: cn=blabla,ou=HostGroups,dc=redacted,dc=com
cn: blabla
nisNetgroupTriple: test-app01,,
objectClass: nisNetgroup
objectClass: top
in sssd log i can see the triple beign recorded:
[sdap_attrs_add_ldap_attr] (0x2000): Adding netgroup triple [test-app01,,] to attributes of [blabla].
But when i run getent i don't see the triple:
$getent -s sss netgroup blabla
blabla
And the user cannot sudo.
Any help would be appreciated. Thanks.
Upvotes: 0
Views: 370
Answers (1)
Reputation: 23
Ok, the problem was with the triple, it needs to be encompassed by parentheses to work.
Upvotes: 0
Related Questions
- python-ldap creating a group returns "already exists" (in an empty OU and non existent sAMAccountName)
- Getting user group in LDAP using Novell.Directory.Ldap.NETStandard
- Get user group memberships from SID
- How to get the IADsGroup object for a group in the domain using ADsGetObject?
- GroupPrincipal.FindByIdentity not getting the latest AD group
- getent passwd error on SLES12
- SSSD - LDAP group based access - ldap schema rfc2307bis
- Netscaler Nitro API cannot get Service Groups
- Retrieving group membership in LDAP
- Query Ldap for group details using net-ldap library