[Freeipa-devel] ipa-client-install sudoers + automount

William Brown william.e.brown at adelaide.edu.au
Wed Oct 12 14:29:56 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> 
> These are both on our roadmap, we just haven't gotten to them yet:
> 
> https://fedorahosted.org/freeipa/ticket/1233 
> http://freeipa.org/page/SUDO_integration_plans

Okay, I did not find these two pages while searching. It appears to be
what I have just discussed however.

> 
>> Of the sudo bindpw or krb5_cc method in nss_ldap which is
>> preferred?
> 
> We currently provide a shared account for use with sudo as a
> temporary measure. sssd support is our preferred solution.

Okay. In terms of the SSSD sudo / automount provider, the biggest
issue I see is that to read the ou=SUDOers branch of the LDAP tree,
you must be bound (Or for automount if anon bind is disabled). For
that you need either

A) A shared account for sudo reading
B) A way to extract the systems host krb5 ticket inside of SSSD to
make that query

It would be reasonable for SSSD to be able to extract the keytab to a
localcache, and just to re-new / re-extract it if it expires when a
query is performed.

However, I see the benefit as being that you can cache those queries -
especially sudo's. Automount may not benefit from this however, since
in a situation where you are away from the IPA server, you are likely
away from NFS also.

An aside point - during the client auto-configuration, it would be
good to have automount "work out" the location of the client. This
could be used in
"SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"" for example.

Has any work started on the SSSD sudo provider?

- -- 
Sincerely,

William Brown

Research and Teaching
Information and Technology Services
The University of Adelaide

CRICOS Provider Number 00123M
- -----------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all copies and advise the sender. For the purposes of the SPAM Act
2003, this email is authorised by The University of Adelaide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOlaRiAAoJEKcRRTun3Hg9PHYP/jqeOIpGRH0o/0QOie8yPz6C
EI3/acWgvu751KuEy0T1nNI6DuADUtrUFgFTZrHP0cOQX2/028sCc+gibOTcTvYg
8h4ARUhaNFcfTH0QdTuxMxSWpxuYSuR8hzx9/AAqTy5e6TDXE38mcLRWVxoRFiY3
c7PeQk9DfP45Gb2R9ymqB+YlFU4KE2DT5lrABtujg2h1he6XA/b+5btJLYVTRoRC
bE2nJZLbV7F2c9qq/5wi3xjXtRQiYSGtyRT1tjy+wGUCUznAh1eigDH+bu7N/5LZ
XsPJSmwVHAUgidZNNxHkl1bWqy6Ksvuk3++VJK2uE4LHMvwsUU70JxGY/j/tF7un
GN4Ntq7+mbpy0HmJp+tNNfNFonS7fpuF+lKk/9RwbTej9h9pCesIqnZrX5dZkre+
0NTkAzYjL+F3zYIsN8J8Ew8qIMn/VYBgS56CeFagrFDToENvRmbRnjUijGQRxQfr
112ZSjd2D99z+MuJuO4MTYtwQ2Kkl7a67Ngyo2CX4AnGdYNlThTfEX9afbep97yr
zJmVIGc3hbgEF/XbzyNelLeQJGi4CB9wnexnd0u5zYCpzmhMrJ0G8aJMaZ8Gjllk
17yxCehv0XTMK2aFiqfjdUqJTWngZl7MxusH1bVTcjry5HP0zPHI0HmBZV9Y7+uk
w94Bm8NfKlA7D5bKjShs
=RmkX
-----END PGP SIGNATURE-----

More information about the Freeipa-devel mailing list