[Freeipa-users] sudo hostgroup sanity check, please?
Nalin Dahyabhai
nalin at redhat.com
Wed Jul 11 00:34:35 UTC 2012
On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote:
[snip]
> My sudo-ldap.conf file:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://validserver ldap://validserver2
This may be unrelated, but keep in mind that these should be FQDNs,
because that's what the directory server SSL certificates have in them,
and a client will check that the name in the certificate the server uses
to identify itself matches the name that the client "thinks" the server
has, which the client derives from the URI values given here.
> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com
Assuming your domain name is "UNIX.MAGELLANHEALTH.COM" and you haven't
changed the configuration for the Schema Compatibility plugin, this
looks correct. If your domain name is something else, you'll need to
change this setting to "ou=SUDOers,$basedn", where "basedn" is the value
listed in your server's /etc/ipa/default.conf file.
HTH,
Nalin
More information about the Freeipa-users
mailing list