[Freeipa-users] RHEL 6.3 identity manual - IPA
Rajnesh Kumar Siwal
rajnesh.siwal at gmail.com
Mon Feb 4 16:10:02 UTC 2013
IPA client details are :-
[rsiwal at gw1-test ~]$ rpm -qa|grep -i -w ipa
ipa-client-2.1.3-5.el5_9.2
[rsiwal at gw1-test ~]$ cat /etc/redhat-release
CentOS release 5.6 (Final)
[rsiwal at gw1-test ~]$ uname -a
Linux gw1-test 2.6.18-238.el5 #1 SMP Thu Jan 13 15:51:15 EST 2011
x86_64 x86_64 x86_64 GNU/Linux
On Mon, Feb 4, 2013 at 9:37 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Rajnesh Kumar Siwal wrote:
>>
>> Hi Rob,
>>
>> This is the way I configured it:-
>> 1. Added the details in /etc/ldap.conf :-
>> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=chargepoint,dc=dmz
>> bindpw xxxxxxxxxxxxxxxx
>>
>> ssl start_tls
>> tls_cacertfile /etc/ipa/ca.crt
>> tls_checkpeer yes
>>
>> bind_timelimit 5
>> timelimit 15
>>
>> uri ldap://ipa1.chargepoint.dmz
>> sudoers_base ou=SUDOers,dc=chargepoint,dc=dmz
>> sudoers_debug 1
>>
>> 2. Modified /etc/nsswitch.conf to fetch sudo details from ldap:-
>> sudoers: files ldap
>>
>> 3. So what I can understand from the above steps is that I am
>> interacting directly with the LDAP (389-ds) Server directly (because I
>> am not using sss (instead ldap is being used)).
>
>
> What distribution and release number is the client?
>
> Can you include what you see when you execute a sudo?
>
> rob
>
>
>>
>>
>> On Mon, Feb 4, 2013 at 7:50 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>>
>>> Fred van Zwieten wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>> ipa-client-install should take care of setting up sudo on the client to
>>>> use IPA, afaik.
>>>>
>>>
>>> Not yet, https://fedorahosted.org/freeipa/ticket/3358
>>>
>>>> Essential line in nsswitch.conf:
>>>> sudoers: files ldap
>>>>
>>>> Please read here
>>>>
>>>>
>>>> <https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#sudo>
>>>
>>>
>>>
>>> Note that the configuration file name is wrong for RHEL 6. You need to
>>> use
>>> /etc/sudo-ldap.conf.
>>>
>>> rob
>>>
>>>>
>>>> As for the second question. dc=example,dc=com is, well, an example.
>>>> example.com <http://example.com> is used throughout the documentation
>>>>
>>>> for documentation purposes where a domain name is needed. Please replace
>>>> is with you're domain, e.g. dc=yourcompanyname,dc=com
>>>>
>>>> Met vriendelijke groeten,
>>>> *
>>>> Fred*
>>>>
>>>>
>>>>
>>>> On Mon, Feb 4, 2013 at 7:29 AM, Rajnesh Kumar Siwal
>>>> <rajnesh.siwal at gmail.com <mailto:rajnesh.siwal at gmail.com>> wrote:
>>>>
>>>> I am planning to use the sudo feature on IPA 2.2. By default the
>>>> IPA
>>>> client that I configured does not seems to use fetch the sudo user
>>>> details.
>>>>
>>>> It looks that we need to modify nsswitch.conf and ldap.conf to
>>>> support it.
>>>>
>>>> Can sssd take care of fetching the sudo user details ?
>>>>
>>>> Secondly, I am not able to find the password for
>>>> uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com . How do I find it
>>>> ?
>>>> Will it be safe to change password of this sudo user or it may
>>>> impact
>>>> the IPA Server ?
>>>>
>>>> Please suggest.
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Rajnesh Kumar Siwal
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>
>>
>>
>
--
Regards,
Rajnesh Kumar Siwal
More information about the Freeipa-users
mailing list