From: mh+debian-packages@zugschlus.de   
      
   On Wed, Feb 11, 2026 at 11:32:17AM +0100, Martin Pitt wrote:   
   >Marc Haber [2026-02-10 14:50 +0100]:   
   >> How would a test case to check "sssd configuration of sudo rules" look like?   
   >   
   >Cockpit's test suite models a typical "large org" setup: Centralized user   
   >management with https://tracker.debian.org/pkg/freeipa ; part of that is   
   >maintaining users and their roles in LDAP. sssd abstracts away most of that,   
   >i.e. provides the integration into NSS, for both passwd/groups and also   
   >`sudoers`, so that these can be managed centrally through IPA as well. I.e.   
   our   
   >test (effectively) calls `realmd join` which calls `ipa-client-install`.   
   >   
   >On the IPA server side, you need to run the output of `ipa-advise   
   >enable-admins-sudo` to enable central sudoers management.   
   >   
   >Setting all of this up is quite involved. If it's unclear how this happens,   
   >I can spend an hour trying to replicate everything in a Debian testing VM with   
   >just a FreeIPA container -- but I hope that can be done in a simpler way? I.e.   
   >extending the above sed shell code in the postinst to create a missing entry   
   >keeps the previous behaviour with libnss-sudo, and reduces the dependency   
   >assumption.   
      
   I was hoping for something that would fit easily into the horrible mess   
   called https://salsa.debian.org/sudo-team/sudo/-/blob/debian/lat   
   st/debian/tests/04-getroot-sssd?ref_type=heads   
      
   such as   
      
   (1) installing the LDAP extensions that are probably needed to have   
   sudoers in LDAP   
   (2) installing a test rule into the sudoers set that is stored in LDAP   
   (3) checking that this rule is actually honored by sudo   
      
   Greetings   
   Marc   
      
   --   
   -----------------------------------------------------------------------------   
   Marc Haber         | "I don't trust Computers. They | Mailadresse im Header   
   Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402   
   Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)