<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY> On Tue, 2013-10-22 at 10:39 +0200, Martin Kosek wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On 10/22/2013 02:41 AM, Dean Hunter wrote: > This patch is only for the FreeIPA 3.1.5 User Guide. The 3.1.5 User > Guide currently has a procedure carried over from the 2.2 User Guide. > And the procedure will be different, again, for the 3.4 User Guide. The > procedure is based on > <A HREF="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</A>. > > <A HREF="https://fedorahosted.org/freeipa/ticket/3756">https://fedorahosted.org/freeipa/ticket/3756</A> Hi Dean, Thanks for the patch! I have few comments though. 1) ipa-client-install in the first paragraph should be in <code>. I also think there should be a short introduction of the section instead of directly jumping to editing configs. I think that a modification of the previous one would work. Something like that: ~~~ Actually implementing sudo policies is more complicated than simply creating the rules in FreeIPA. Those rules need to be applied to every local machine, which means that each system in the FreeIPA domain has to be configured to refer to FreeIPA for its policies. This example specifically configures a Fedora client for sudo rules. The sudo on client is configured to use SSSD as a source of the policies: ... ~~~ </PRE> </BLOCKQUOTE> For this reason I considered moving the entire section to chapter 3, Setting up Systems as FreeIPA Clients. <BLOCKQUOTE TYPE=CITE> <PRE> 2) I see that in the configuration examples you already pasted executable scripts from your automation. However, I think that the "echo" and "sed" like examples will not bring enough clarity for the users. I would rather prefer the standard examples (as in other places in the guide) showing how the file should look like and leave the automation on user (if he needs it), i.e. ~~~ vim /etc/nsswitch.conf sudoers: files ldap ~~~ instead of ~~~ [root@ipaclient] ~]# echo "sudoers: files sss" >>/etc/nsswitch.conf ~~~ or ~~~ [domain/example.com] krb5_server = ipa.example.com ldap_sasl_authid = host/hostname.example.com ldap_sasl_mech = GSSAPI ldap_sasl_realm = EXAMPLE.COM ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_uri = ldap://ipa.example.com sudo_provider = ldap ~~~ instead of ~~~ [root@ipaclient] ~]# sed "/^\[domain\/example.com\]/ a\\ > krb5_server = ipa.example.com\\ > ldap_sasl_authid = host/hostname.example.com\\ > ldap_sasl_mech = GSSAPI\\ > ldap_sasl_realm = EXAMPLE.COM\\ > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\\ > ldap_uri = ldap://ipa.example.com\\ > sudo_provider = ldap" /etc/sssd/sssd.conf ~~~ etc. This will make the examples easier to read and consistent with the rest of the guide. </PRE> </BLOCKQUOTE> <PRE> </PRE> "What" instead of "How", got it. So even "vim /etc/nsswitch.conf" should not be specified, just list the changed lines of the affected file. <BLOCKQUOTE TYPE=CITE> <PRE> Martin </PRE> </BLOCKQUOTE> </BODY> </HTML>