[Freeipa-users] RHEL 6.3 identity manual - IPA

Rob Crittenden rcritten at redhat.com
Mon Feb 4 16:07:38 UTC 2013 

Rajnesh Kumar Siwal wrote:
> Hi Rob,
>
> This is the way I configured it:-
> 1. Added the details in /etc/ldap.conf :-
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=chargepoint,dc=dmz
> bindpw xxxxxxxxxxxxxxxx
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap://ipa1.chargepoint.dmz
> sudoers_base ou=SUDOers,dc=chargepoint,dc=dmz
> sudoers_debug 1
>
> 2. Modified /etc/nsswitch.conf to fetch sudo details from ldap:-
> sudoers:    files ldap
>
> 3. So what I can understand from the above steps is that I am
> interacting directly with the LDAP (389-ds) Server directly (because I
> am not using sss (instead ldap is being used)).

What distribution and release number is the client?

Can you include what you see when you execute a sudo?

rob

>
>
> On Mon, Feb 4, 2013 at 7:50 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Fred van Zwieten wrote:
>>>
>>> Hi,
>>>
>>> ipa-client-install should take care of setting up sudo on the client to
>>> use IPA, afaik.
>>>
>>
>> Not yet, https://fedorahosted.org/freeipa/ticket/3358
>>
>>> Essential line in nsswitch.conf:
>>> sudoers:    files ldap
>>>
>>> Please read here
>>>
>>> <https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#sudo>
>>
>>
>> Note that the configuration file name is wrong for RHEL 6. You need to use
>> /etc/sudo-ldap.conf.
>>
>> rob
>>
>>>
>>> As for the second question. dc=example,dc=com is, well, an example.
>>> example.com <http://example.com> is used throughout the documentation
>>>
>>> for documentation purposes where a domain name is needed. Please replace
>>> is with you're domain, e.g. dc=yourcompanyname,dc=com
>>>
>>> Met vriendelijke groeten,
>>> *
>>> Fred*
>>>
>>>
>>>
>>> On Mon, Feb 4, 2013 at 7:29 AM, Rajnesh Kumar Siwal
>>> <rajnesh.siwal at gmail.com <mailto:rajnesh.siwal at gmail.com>> wrote:
>>>
>>>      I am planning to use the sudo feature on IPA 2.2. By default the IPA
>>>      client that I configured does not seems to use fetch the sudo user
>>>      details.
>>>
>>>      It looks that we need to modify nsswitch.conf and ldap.conf to
>>>      support it.
>>>
>>>      Can sssd take care of fetching the sudo user details ?
>>>
>>>      Secondly, I am not able to find the password for
>>>      uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com . How do I find it ?
>>>      Will it be safe to change password of this sudo user or it may impact
>>>      the IPA Server ?
>>>
>>>      Please suggest.
>>>
>>>
>>>      --
>>>      Regards,
>>>      Rajnesh Kumar Siwal
>>>
>>>      _______________________________________________
>>>      Freeipa-users mailing list
>>>      Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>      https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>
>
>

More information about the Freeipa-users mailing list