<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6"> </HEAD> <BODY> On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: <BLOCKQUOTE TYPE=CITE> <PRE> On 09/08/2013 01:35 AM, Dmitri Pal wrote: > On 09/07/2013 02:11 PM, Christian Horn wrote: >> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: >>> Are [1] and[2] still the current and best sources of information for >>> configuring sudo for use with the current release of FreeIPA on Fedora >>> 19? >>> >>> 1. >>> <A HREF="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html</A> >>> 2. >>> <A HREF="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</A> >> There is also the Identity_Management_Guide as part of the RHEL >> product documentation: >> <A HREF="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html</A> > This and the pdf above are the latest word in this area. Hi, those documents describes configuration for SSSD 1.9. Although it is still valid, we have simplified configuration for IPA provider in 1.10. The most up to date document for your version of SSSD is always man sssd-sudo. _______________________________________________ Freeipa-users mailing list <A HREF="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</A> <A HREF="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</A> </PRE> </BLOCKQUOTE> Thank you. Please verify that I have correctly understood your note. Your slides from 12-20-2012 applied to SSSD 1.9 and included a reference to the manual pages, which I now understand, as well as this example configuration: <BLOCKQUOTE> <PRE> <TT>sudo_provider = ldap</TT> <TT>ldap_uri = ldap://ipa.example.com</TT> <TT>ldap_sudo_search_base = ou=sudoers,dc=example,dc=com</TT> <TT>ldap_sasl_mech = GSSAPI</TT> <TT>ldap_sasl_authid = host/hostname.example.com</TT> <TT>ldap_sasl_realm = EXAMPLE.COM</TT> <TT>krb5_server = ipa.example.com</TT> </PRE> </BLOCKQUOTE> I have used this configuration with good results. However, reading "man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph: <BLOCKQUOTE> When the SSSD is configured to use the IPA provider, the sudo provider is automatically enabled. The sudo search base is configured to use the compat tree (ou=sudoers,$DC). </BLOCKQUOTE> May I suggest that you change "IPA provider" to "IPA as the ID provider"? There are a number of providers identified in sssd.conf and most of them are configured to use IPA. Testing shows that the only change now required to sssd.conf is the addition of sudo to the services list in the sssd section [sssd]: <BLOCKQUOTE> <TT>services = autofs, nss, pam, ssh, sudo</TT> </BLOCKQUOTE> Add to this the one line change in nsswitch.conf <BLOCKQUOTE> <TT>sudoers: files sss</TT> </BLOCKQUOTE> and I am done. </BODY> </HTML>