[Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

Martin Basti mbasti at redhat.com
Tue Oct 22 08:53:51 UTC 2013 

On Tue, 2013-10-22 at 10:39 +0200, Martin Kosek wrote:
> On 10/22/2013 02:41 AM, Dean Hunter wrote:
> > This patch is only for the FreeIPA 3.1.5 User Guide. The 3.1.5 User
> > Guide currently has a procedure carried over from the 2.2 User Guide.
> > And the procedure will be different, again, for the 3.4 User Guide. The
> > procedure is based on
> > http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf.
> > 
> > https://fedorahosted.org/freeipa/ticket/3756
> 
> Hi Dean,
> 
> Thanks for the patch! I have few comments though.
> 
> 1) ipa-client-install in the first paragraph should be in <code>. I also think
> there should be a short introduction of the section instead of directly jumping
> to editing configs.
> 
I suggest to use <command>ipa-client-install</command>.

> I think that a modification of the previous one would work. Something like that:
> ~~~
> Actually implementing sudo policies is more complicated than simply creating
> the rules in FreeIPA. Those rules need to be applied to every local machine,
> which means that each system in the FreeIPA domain has to be configured to
> refer to FreeIPA for its policies.
> 
> This example specifically configures a Fedora client for sudo rules. The sudo
> on client is configured to use SSSD as a source of the policies:
> ...
> ~~~
Here is something from SSSD presentation which can helps you too:
The SSSD works as a middleman between sudo command and the FreeIPA server.
The SSSD caches sudo rules for a period of time, what makes sudo works even if the network is offline.

> 2) I see that in the configuration examples you already pasted executable
> scripts from your automation.
> 
> However, I think that the "echo" and "sed" like examples will not bring enough
> clarity for the users. I would rather prefer the standard examples (as in other
> places in the guide) showing how the file should look like and leave the
> automation on user (if he needs it), i.e.
> 
> ~~~
> vim /etc/nsswitch.conf
> 
> sudoers:  files ldap
> ~~~
> instead of
> 
> ~~~
> [root at ipaclient] ~]# echo "sudoers:    files sss" >>/etc/nsswitch.conf
> ~~~
> 
> or
> 
> ~~~
> [domain/example.com]
> krb5_server = ipa.example.com
> ldap_sasl_authid = host/hostname.example.com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_realm = EXAMPLE.COM
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
> ldap_uri = ldap://ipa.example.com
> sudo_provider = ldap
> ~~~
> 
> instead of
> 
> ~~~
> [root at ipaclient] ~]# sed "/^\[domain\/example.com\]/ a\\
> > krb5_server = ipa.example.com\\
> > ldap_sasl_authid = host/hostname.example.com\\
> > ldap_sasl_mech = GSSAPI\\
> > ldap_sasl_realm = EXAMPLE.COM\\
> > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\\
> > ldap_uri = ldap://ipa.example.com\\
> > sudo_provider = ldap" /etc/sssd/sssd.conf
> ~~~
> 
> etc.
> 
> This will make the examples easier to read and consistent with the rest of the
> guide.
> 
> Martin
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Martin Basti

More information about the Freeipa-devel mailing list