# sudo from ldap using sssd

## mjedrzejewski

Hi,

I am trying to make sudo work with sssd and rules from LDAP. I have successfully configured such a setup on CentOS 6.6, but I fail to do the same on gentoo. As far as I know, sudo just ignores rules from sssd. 

```
tr linux # sudo -ll -U test

User test is not allowed to run sudo on tr.

```

sssd's debug log says that it successfully downloads and caches the rules. 

Can anybody help with this?

The Archlinux wiki says that you need to enable sssd support in sudo. Yet: 

```
tr linux # eix sudo

[I] app-admin/sudo

     Available versions:  1.8.11_p1 ~1.8.11_p2 ~1.8.12 {ldap nls offensive pam selinux +sendmail skey}

     Installed versions:  1.8.11_p1(03:28:38 PM 02/10/2015)(ldap nls offensive pam sendmail -selinux -skey)

     Homepage:            http://www.sudo.ws/

     Description:         Allows users or groups to run commands as other users

```

You can't enable sssd support in sudo on gentoo. 

EDIT: Digging deeper into the sssd issue, gentoo as seen above, doesn't have a sssd use flag, yet current sssd packages have -with-sssd configure option. So apparently that is a bug? How does one report it to the proper gentoo package maintainer?

Yes, I have "sudo" use flag on sssd. 

my sssd.conf: 

```

[sssd]

config_file_version = 2

services = nss, pam, sudo

domains = default

[nss]

filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[domain/default]

ldap_tls_reqcert = never

auth_provider = ldap

ldap_schema = rfc2307bis

krb5_realm = EXAMPLE.COM

ldap_search_base = dc=jmdi,dc=pl

ldap_sudo_search_base = ou=SUDOers,o=Initrode org,dc=example,dc=com

#ldap_sudo_full_refresh_interval=3600

ldap_sudo_full_refresh_interval=60

ldap_sudo_smart_refresh_interval=10

id_provider = ldap

sudo_provider = ldap

ldap_id_use_start_tls = False

chpass_provider = ldap

ldap_uri = ldaps://10.3.14.151

ldap_chpass_uri = ldaps://10.3.14.151

krb5_kdcip = kerberos.example.com

cache_credentials = true

entry_cache_timeout = 600

ldap_network_timeout = 3

ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))

access_provider = ldap

ldap_access_order = host

ldap_user_authorized_host = allowedHosts

debug_level = 9 

```

my nsswitch.conf:

```

passwd:      compat sss

shadow:      compat sss

group:       compat sss

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files sss

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files sss

bootparams:  files

automount:   files sss

aliases:     files

sudoers:     files sss

```

----------

