[Freeipa-users] [Feature request] Adding support for sudo to ipa-client-install
Han Boetes
hboetes at gmail.com
Thu Feb 21 14:07:10 UTC 2013
This is what you have to do to enable sudo support while using freeipa: I
got it all from
sssd-sudo(5).
# yum install libsss_sudo
Add this line to /etc/nsswitch.conf
sudoers: files sss
Edit /etc/sssd/sssd.conf and make the following changes:
Add sudo to the "services =" line.
And add lines like these to the [domain/example.com] section
sudo_provider = ldap
ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/hostname.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa.example.com
And after that sudo should work. For debugging stop the sssd service and
run sssd with the following options:
/usr/sbin/sssd -D -f -d4
And then tail /var/log/sssd/sssd_example.com.log
My request to the freeipa developers is to add an option to
ipa-install-client script to support these changes. Perhaps even make it
the default since it's so nice and useful to have.
# Han
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130221/83dd0c8e/attachment.htm>
More information about the Freeipa-users
mailing list