[Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

Martin Kosek mkosek at redhat.com
Tue Oct 22 08:39:44 UTC 2013 

On 10/22/2013 02:41 AM, Dean Hunter wrote:
> This patch is only for the FreeIPA 3.1.5 User Guide. The 3.1.5 User
> Guide currently has a procedure carried over from the 2.2 User Guide.
> And the procedure will be different, again, for the 3.4 User Guide. The
> procedure is based on
> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf.
> 
> https://fedorahosted.org/freeipa/ticket/3756

Hi Dean,

Thanks for the patch! I have few comments though.

1) ipa-client-install in the first paragraph should be in <code>. I also think
there should be a short introduction of the section instead of directly jumping
to editing configs.

I think that a modification of the previous one would work. Something like that:
~~~
Actually implementing sudo policies is more complicated than simply creating
the rules in FreeIPA. Those rules need to be applied to every local machine,
which means that each system in the FreeIPA domain has to be configured to
refer to FreeIPA for its policies.

This example specifically configures a Fedora client for sudo rules. The sudo
on client is configured to use SSSD as a source of the policies:
...
~~~

2) I see that in the configuration examples you already pasted executable
scripts from your automation.

However, I think that the "echo" and "sed" like examples will not bring enough
clarity for the users. I would rather prefer the standard examples (as in other
places in the guide) showing how the file should look like and leave the
automation on user (if he needs it), i.e.

~~~
vim /etc/nsswitch.conf

sudoers:  files ldap
~~~
instead of

~~~
[root at ipaclient] ~]# echo "sudoers:    files sss" >>/etc/nsswitch.conf
~~~

or

~~~
[domain/example.com]
krb5_server = ipa.example.com
ldap_sasl_authid = host/hostname.example.com
ldap_sasl_mech = GSSAPI
ldap_sasl_realm = EXAMPLE.COM
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_uri = ldap://ipa.example.com
sudo_provider = ldap
~~~

instead of

~~~
[root at ipaclient] ~]# sed "/^\[domain\/example.com\]/ a\\
> krb5_server = ipa.example.com\\
> ldap_sasl_authid = host/hostname.example.com\\
> ldap_sasl_mech = GSSAPI\\
> ldap_sasl_realm = EXAMPLE.COM\\
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\\
> ldap_uri = ldap://ipa.example.com\\
> sudo_provider = ldap" /etc/sssd/sssd.conf
~~~

etc.

This will make the examples easier to read and consistent with the rest of the
guide.

Martin

More information about the Freeipa-devel mailing list