[Pkg-sssd-devel] Bug#770825: add sudoers entry to nsswitch.conf

[Marc Haber]

On Wed, Feb 11, 2026 at 11:32:17AM +0100, Martin Pitt wrote:
>Marc Haber [2026-02-10 14:50 +0100]:
>> How would a test case to check "sssd configuration of sudo rules" look like?
>
>Cockpit's test suite models a typical "large org" setup: Centralized user
>management with https://tracker.debian.org/pkg/freeipa ; part of that is
>maintaining users and their roles in LDAP. sssd abstracts away most of that,
>i.e. provides the integration into NSS, for both passwd/groups and also
>`sudoers`, so that these can be managed centrally through IPA as well. I.e. our
>test (effectively) calls `realmd join` which calls `ipa-client-install`.
>
>On the IPA server side, you need to run the output of `ipa-advise
>enable-admins-sudo` to enable central sudoers management.
>
>Setting all of this up is quite involved. If it's unclear how this happens,
>I can spend an hour trying to replicate everything in a Debian testing VM with
>just a FreeIPA container -- but I hope that can be done in a simpler way? I.e.
>extending the above sed shell code in the postinst to create a missing entry
>keeps the previous behaviour with libnss-sudo, and reduces the dependency
>assumption.

I was hoping for something that would fit easily into the horrible mess 
called https://salsa.debian.org/sudo-team/sudo/-/blob/debian/latest/debian/tests/04-getroot-sssd?ref_type=heads

such as

(1) installing the LDAP extensions that are probably needed to have 
sudoers in LDAP
(2) installing a test rule into the sudoers set that is stored in LDAP
(3) checking that this rule is actually honored by sudo

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421