> btw. I cannot reproduce your issue where a command is denied where only > user and host is matching, can you give an example where this is > happening? Thanks
I retract my previous statement and stand corrected: I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving as we believe it should. A command NO MATCH occurs only if sudo parses all results and does not find a match. I am documenting this for my internal team so that we can investigate the systems that have had contrary results as they are likely the result of a definite bug. I apologize for the F.U.D. So then, that just leaves us with: How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ? Sudo Debug: ------------------- sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD) sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,cn=SUDOers,dc=example,dc=com sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: 'ignore_dot' sudo: ldap search '(|(sudoUser=testuser)(sudoUser=%testuser)(sudoUser=%UGRP-Test1)(sudoUser=ALL))' sudo: found:cn=ROLE-jumpers_RO,cn=SUDOers,dc=example,dc=com sudo: ldap sudoHost 'jump2.example.com' ... not sudo: ldap sudoHost 'jump1.example.com' ... MATCH! sudo: found:cn=ROLE-jr-test,cn=SUDOers,dc=example,dc=com sudo: ldap sudoHost 'jump2.example.com' ... not sudo: ldap sudoHost 'jump1.example.com' ... MATCH! sudo: found:cn=ROLE-jr-test2,cn=SUDOers,dc=example,dc=com sudo: ldap sudoHost 'jump2.example.com' ... not sudo: ldap sudoHost 'jump1.example.com' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
