[Freeipa-devel] ipa-client-install sudoers + automount
Rob Crittenden
rcritten at redhat.com
Wed Oct 12 14:12:29 UTC 2011
William Brown wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is there a reason that ipa-client-install does not configure nsswitch
> for ldap sudoers and automount by default? I would see such a
> modification as a feature for this, rather than a negative.
>
> Alternately, this could be added as a module to ipa command to
> "autoconfigure" these for a joined host.
>
> In order to implement this one would need write into ipa-client-install:
>
> * Add ldap to sudoers and automount in nsswitch
> * Generate configuration for Automount in a way similar to
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
> ** Automount could setup the location at this point.
> * Generate configuration for nss_ldap.conf for sudoers according to
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
> ** This could use the static sudo password method as listed, and would
> involve adding these lines to the nss_ldap configuration in
> ipa-client-install. Some kind of RPC call could be made to retrieve
> the sudo password using the admin ticket.
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=x
> bindpw testpassword
>
> ** Alternately, nss_ldap can use kerberos caches for SASL binds.
>
> sudoers_base ou=SUDOers,dc=x
> use_sasl on
> krb5_ccname FILE:/etc/.ldapsearch
>
> The later requires the kerberos cache to be primed and added to cron
> with something like:
>
> kinit -k host/client3.ipa.x -c /etc/.ldapsearch
>
> * nss_ldap configuration would be part of the default install,
> regardless of SSSD presence (ldap would not be listed in nsswitch for
> users or groups however)
>
> Nslcd does not support the sudoers option as far as my research tells
> me. It would also mean that nss_ldap becomes a dependency, rather than
> optional. Nslcd also supports sasl for ldap.
These are both on our roadmap, we just haven't gotten to them yet:
https://fedorahosted.org/freeipa/ticket/1233
http://freeipa.org/page/SUDO_integration_plans
> Of the sudo bindpw or krb5_cc method in nss_ldap which is preferred?
We currently provide a shared account for use with sudo as a temporary
measure. sssd support is our preferred solution.
rob
More information about the Freeipa-devel
mailing list