Which IIQ version are you inquiring about?
IIQ 8.3
Please share any images or screenshots, if relevant.
Please share any other relevant files that may be required (for example, logs).
sudorules schema
<Schema aggregationType="group" created="1732307232182" descriptionAttribute="description" displayAttribute="cn" featuresString="PROVISIONING" id="0afa648b934b13118193558ea5b6128d" identityAttribute="dn" instanceAttribute="" modified="1734458286178" nativeObjectType="ipasudorule" objectType="sudorules">
<AttributeDefinition name="cn" type="string">
<Description>common name(s) for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="dn" type="string">
<Description>Directory Path</Description>
</AttributeDefinition>
<AttributeDefinition name="description" type="string">
<Description>descriptive information</Description>
</AttributeDefinition>
<AttributeDefinition name="ipaUniqueID" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="memberAllowCmd" schemaObjectType="sudocmdcontainer" type="string">
<Description>sudo command group or sudo commands</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="memberHost" type="string">
<Description>computers or hostgroups</Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="memberUser" schemaObjectType="posixgroup" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition name="cmdCategory" type="string">
<Description>All Commands</Description>
</AttributeDefinition>
<AttributeDefinition name="ipaEnabledFlag" type="string">
<Description>True or False</Description>
</AttributeDefinition>
<Attributes>
<Map>
<entry key="groupMemberAttribute"/>
<entry key="memberAttribute">
<value>
<List>
<String>cn</String>
<String>uid</String>
</List>
</value>
</entry>
<entry key="memberPrefix" value="{,"/>
<entry key="memberSuffix" value=",}"/>
</Map>
</Attributes>
</Schema>
sudocmdcontainer schema
<Schema aggregationType="group" created="1734455914750" descriptionAttribute="description" displayAttribute="sudoCmd" featuresString="PROVISIONING" id="0afa648993b71cab8193d5a0f0fe77d4" identityAttribute="dn" instanceAttribute="" modified="1734458286178" nativeObjectType="ipaobject" objectType="sudocmdcontainer">
<AttributeDefinition name="cn" type="string">
<Description>common name(s) for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="dn" type="string">
<Description>Directory Path</Description>
</AttributeDefinition>
<AttributeDefinition name="description" type="string">
<Description>descriptive information</Description>
</AttributeDefinition>
<AttributeDefinition name="ipaUniqueID" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition name="sudoCmd" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="member" schemaObjectType="sudocmd" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="memberOf" schemaObjectType="sudocmdgroups" type="string">
<Description></Description>
</AttributeDefinition>
<Attributes>
<Map>
<entry key="groupMemberAttribute" value="dn"/>
<entry key="memberAttribute" value="dn"/>
</Map>
</Attributes>
</Schema>
sudocmdgroups schema
<Schema aggregationType="group" created="1734457355363" descriptionAttribute="description" displayAttribute="cn" featuresString="PROVISIONING" id="0afa648993b71cab8193d5b6ec637849" identityAttribute="dn" instanceAttribute="" modified="1734458286178" nativeObjectType="ipasudocmdgrp" objectType="sudocmdgroups">
<AttributeDefinition name="cn" type="string">
<Description>common name(s) for which the entity is known by</Description>
</AttributeDefinition>
<AttributeDefinition name="dn" type="string">
<Description>Directory Path</Description>
</AttributeDefinition>
<AttributeDefinition name="description" type="string">
<Description>descriptive information</Description>
</AttributeDefinition>
<AttributeDefinition name="ipaUniqueID" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="member" schemaObjectType="sudocmd" type="string">
<Description>List of sudo commands</Description>
</AttributeDefinition>
<Attributes>
<Map>
<entry key="groupMemberAttribute" value="dn"/>
<entry key="memberAttribute" value="dn"/>
</Map>
</Attributes>
</Schema>
sudocmd
<Schema aggregationType="group" created="1734457510516" descriptionAttribute="description" displayAttribute="sudoCmd" featuresString="PROVISIONING" id="0afa648993b71cab8193d5b94a74784e" identityAttribute="dn" instanceAttribute="" modified="1734458286178" nativeObjectType="ipasudocmd" objectType="sudocmd">
<AttributeDefinition name="dn" type="string">
<Description>Directory Path</Description>
</AttributeDefinition>
<AttributeDefinition name="description" type="string">
<Description>descriptive information</Description>
</AttributeDefinition>
<AttributeDefinition name="ipaUniqueID" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition name="sudoCmd" type="string">
<Description></Description>
</AttributeDefinition>
<AttributeDefinition multi="true" name="memberOf" schemaObjectType="sudocmdgroups" type="string">
<Description></Description>
</AttributeDefinition>
<Attributes>
<Map>
<entry key="groupMemberAttribute" value="dn"/>
<entry key="memberAttribute" value="dn"/>
</Map>
</Attributes>
</Schema>
Share all details about your problem, including any error messages you may have received.
I’m currently working on creating an Application for RedHat Identity Management (IDM) using the LDAP connector. I was able to successfully perform a group aggregation on the sudo rules, sudo command groups, and sudo commands.
| IDM Obect Type | IIQ Object Type |
|---|---|
| ipasudorule | sudorules |
| ipasudocmdgrp | sudocmdgroups |
| ipasudocmd | sudocmd |
One thing to note is that the memberAllowCmd attribute for sudorules can be an object type of either ipasudocmdgrp or ipasudocmd in IDM. Because of this, I decided to make a container object for the memberAllowCmd attribute in IIQ called sudocmdcontainer that can represent both sudocmdgroups and sudocmd.
My problem is that whenever I click on a sudo rule and click on the sudo group(s) assigned to it, it shows me the distinguished name (object value) of the sudocmd for the sudogroup instead of its display value. The object type for the memberAllowCmd is a sudocmdcontainer. You can see this in my 1st picture.
However, when I go to the actual sudocmdcontainer, I’m able to see the sudocmd with their display value, not their distinguished name. You can see this in my 2nd picture.
The display value for sudocmd is set to sudoCmd, which should show the actual sudo command. I would appreciate any help on this. Thank you.