[Freeipa-users] RHEL 6.3 identity manual - IPA
Rajnesh Kumar Siwal
rajnesh.siwal at gmail.com
Mon Feb 4 15:57:20 UTC 2013
Hi Rob,
This is the way I configured it:-
1. Added the details in /etc/ldap.conf :-
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=chargepoint,dc=dmz
bindpw xxxxxxxxxxxxxxxx
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://ipa1.chargepoint.dmz
sudoers_base ou=SUDOers,dc=chargepoint,dc=dmz
sudoers_debug 1
2. Modified /etc/nsswitch.conf to fetch sudo details from ldap:-
sudoers: files ldap
3. So what I can understand from the above steps is that I am
interacting directly with the LDAP (389-ds) Server directly (because I
am not using sss (instead ldap is being used)).
On Mon, Feb 4, 2013 at 7:50 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Fred van Zwieten wrote:
>>
>> Hi,
>>
>> ipa-client-install should take care of setting up sudo on the client to
>> use IPA, afaik.
>>
>
> Not yet, https://fedorahosted.org/freeipa/ticket/3358
>
>> Essential line in nsswitch.conf:
>> sudoers: files ldap
>>
>> Please read here
>>
>> <https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#sudo>
>
>
> Note that the configuration file name is wrong for RHEL 6. You need to use
> /etc/sudo-ldap.conf.
>
> rob
>
>>
>> As for the second question. dc=example,dc=com is, well, an example.
>> example.com <http://example.com> is used throughout the documentation
>>
>> for documentation purposes where a domain name is needed. Please replace
>> is with you're domain, e.g. dc=yourcompanyname,dc=com
>>
>> Met vriendelijke groeten,
>> *
>> Fred*
>>
>>
>>
>> On Mon, Feb 4, 2013 at 7:29 AM, Rajnesh Kumar Siwal
>> <rajnesh.siwal at gmail.com <mailto:rajnesh.siwal at gmail.com>> wrote:
>>
>> I am planning to use the sudo feature on IPA 2.2. By default the IPA
>> client that I configured does not seems to use fetch the sudo user
>> details.
>>
>> It looks that we need to modify nsswitch.conf and ldap.conf to
>> support it.
>>
>> Can sssd take care of fetching the sudo user details ?
>>
>> Secondly, I am not able to find the password for
>> uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com . How do I find it ?
>> Will it be safe to change password of this sudo user or it may impact
>> the IPA Server ?
>>
>> Please suggest.
>>
>>
>> --
>> Regards,
>> Rajnesh Kumar Siwal
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
--
Regards,
Rajnesh Kumar Siwal
More information about the Freeipa-users
mailing list