[Freeipa-users] sudo rules in IPA infrastructure
Gelen James
hahaha_30k at yahoo.com
Fri May 18 23:20:02 UTC 2012
Hi Stephen,
That's very helpful. Thanks a lot.
--Gelen
________________________________
From: Stephen Ingram <sbingram at gmail.com>
To: Gelen James <hahaha_30k at yahoo.com>
Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>; Rob Crittenden <rcritten at redhat.com>; Rich Megginson <rmeggins at redhat.com>
Sent: Friday, May 18, 2012 2:58 PM
Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure
On Fri, May 18, 2012 at 2:35 PM, Gelen James <hahaha_30k at yahoo.com> wrote:
> Hi all,
>
> Are the sudo rules applied to IPA clients through nss_ldap, instead of
> sssd?
>
> I tried that on Redhat 6.2 clients, and some documents said that sudo rules
> would work when enabled inside /etc/nslcd.conf, but we need to hack the
> script /etc/init.d/nslcd.conf a little bit -- basically to mess around the
> sudo config statement before/after nslcd daemon runs as the latter still can
> not handle sudo statements very well.
I just got sudo setup on 6.2. You do use /etc/nslcd.conf, but you
don't have to install the nslcd daemon to get it working. It just
looks to that file for the config. So remove nslcd and then just
create the /etc/nslcd.conf from scratch and put in what they specify
on the documentation. Make all of the other changes they mention and
it will just work!
> Then on 5.8, where nslcd daemon is not available, should we edit
> /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a
> lot.
Type sudo -V to be sure, but look for the ldap.conf path (on my 5.8 it
is /etc/ldap.conf). I haven't set this up yet, but I assume that you
can just add the config mentioned in the docs to ldap.conf along with
all of the other changes and you're off. As it worked perfectly on
6.2, I'm guessing it will also work on 5.8.
You can look through bugzilla and see the various discussions about
all of this, but suffice it to say there has been a fair amount of
discussion as to where to locate this sudo ldap config. I think it is
headed for /etc/ldap.sudo or something like that in 6.3, but as long
as you put it where sudo is looking for it, everything should work.
If you still can't get it to work, Adam Young has written a script
that you can look at to explain the process:
http://adam.younglogic.com/2011/03/centralized-sudo-with-freeipa/.
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120518/d9fb4d01/attachment.htm>
More information about the Freeipa-users
mailing list