[Freeipa-devel] ipa-client-install sudoers + automount

Rob Crittenden rcritten at redhat.com
Wed Oct 12 15:42:47 UTC 2011 

William Brown wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>>
>> These are both on our roadmap, we just haven't gotten to them yet:
>>
>> https://fedorahosted.org/freeipa/ticket/1233
>> http://freeipa.org/page/SUDO_integration_plans
>
> Okay, I did not find these two pages while searching. It appears to be
> what I have just discussed however.
>
>>
>>> Of the sudo bindpw or krb5_cc method in nss_ldap which is
>>> preferred?
>>
>> We currently provide a shared account for use with sudo as a
>> temporary measure. sssd support is our preferred solution.
>
> Okay. In terms of the SSSD sudo / automount provider, the biggest
> issue I see is that to read the ou=SUDOers branch of the LDAP tree,
> you must be bound (Or for automount if anon bind is disabled). For
> that you need either
>
> A) A shared account for sudo reading
> B) A way to extract the systems host krb5 ticket inside of SSSD to
> make that query
>
> It would be reasonable for SSSD to be able to extract the keytab to a
> localcache, and just to re-new / re-extract it if it expires when a
> query is performed.

This is how SSSD works now. It uses the host keytab to authenticate to 
the IPA LDAP server.

> However, I see the benefit as being that you can cache those queries -
> especially sudo's. Automount may not benefit from this however, since
> in a situation where you are away from the IPA server, you are likely
> away from NFS also.
>
> An aside point - during the client auto-configuration, it would be
> good to have automount "work out" the location of the client. This
> could be used in
> "SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"" for example.

Yeah, working this out is non-trivial though. I think the initial cut of 
automount support is going to be optional and the location will be 
prompted for. location is just a string so can be used for all sorts of 
purposes other than regional support (e.g. a developers automount, tech 
support automount, helpdesk automount, etc).

> Has any work started on the SSSD sudo provider?

Yes, I believe it has. I don't know the full state of it, maybe one of 
the sssd dev lurkers will chime in :-)

regards

rob

More information about the Freeipa-devel mailing list