sssd-ldap sudo rules are not listed after switching to sssd version >=2.0.0
This document (000020880) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP4
Situation
With sssd >=2.0.0 wildcards in the sudoHost LDAP attribute are not enabled by default anymore.
The sssd configuration option ldap_sudo_include_regexp changed its default value from true to false beginning with sssd-2.0.0.
See https://sssd.io/release-notes/sssd-2.0.0.html#changed-default-settings
The following rule would not work anymore and therefor not be listed via sudo -l -U <User>:
The sssd configuration option ldap_sudo_include_regexp changed its default value from true to false beginning with sssd-2.0.0.
See https://sssd.io/release-notes/sssd-2.0.0.html#changed-default-settings
The following rule would not work anymore and therefor not be listed via sudo -l -U <User>:
... dn: cn=SUDOUSER,ou=SUDOers,dc=example,dc=com cn: SUDOUSER sudoHost: * sudoOption: !authenticate objectClass: sudoRole ...
Resolution
Put the following statement into the LDAP section or change its value to true if it already exists:
[domain/LDAP] ... ldap_sudo_include_regexp = true ...
Cause
With SUSE LINUX Enterprise Server 15 SP4 sssd version 2.5 has been shipped.
The default value of ldap_sudo_include_regexp changed from true to false.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020880
- Creation Date: 02-Dec-2022
- Modified Date:02-Dec-2022
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
- SUSE Linux Enterprise Micro
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
