[Freeipa-devel] Scripting the SUDO setup for a client
JR Aquino
JR.Aquino at citrix.com
Fri Feb 18 13:18:36 UTC 2011
On Feb 18, 2011, at 5:01 AM, "Simo Sorce" <ssorce at redhat.com> wrote:
> On Fri, 18 Feb 2011 05:06:34 +0000
> JR Aquino <JR.Aquino at citrix.com> wrote:
>
>> On Feb 17, 2011, at 8:38 PM, "Adam Young" <ayoung at redhat.com> wrote:
>>
>>> I tried to follow the steps to setup Sudo on a client here:
>>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_sudo
>>>
>>> Of course, since my serve wasn't example.com, I had to modify the
>>> LDAP fitlers. I got something wrong.
>>>
>>> What would I use to script this in keeping with the ipa server
>>> technoliges we use? I need to modify a bunch of config files.
>>> This seems like a task for something like augeas, and I know we use
>>> some library to do it.
>>
>> I believe authconfig is used to populate ldap.conf and maybe even
>> nsswitch.conf.
>>
>> Be aware though that Sudo needs to have an unprivileged binddn User
>> and password configured in the ldap.conf file... That's the piece
>> that I've been thinking most about. I'm not sure what to do except
>> prompt the user during the install script.
>
> This is necessary only when you prevent anonymous binds, right ?
>
> Simo.
I'm afraid not Simo.
As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA are protected. There is a deliberate default aci which prevents anonymous users from enumerating everyones Sudo information.
This means it is necessary for Sudo to initiate some form of authenticated bind.
And as we discovered, the SUDO SASL implementation is suboptimal in that it seems to want a cronjob to sit around kinit'ing the /etc/krb5.keytab in order to use it's ccache.
More information about the Freeipa-devel
mailing list