[Freeipa-users] [Feature request] Adding support for sudo to ipa-client-install
Jakub Hrozek
jhrozek at redhat.com
Thu Feb 21 14:11:21 UTC 2013
On Thu, Feb 21, 2013 at 03:07:10PM +0100, Han Boetes wrote:
> This is what you have to do to enable sudo support while using freeipa: I
> got it all from
> sssd-sudo(5).
>
> # yum install libsss_sudo
>
> Add this line to /etc/nsswitch.conf
>
> sudoers: files sss
>
> Edit /etc/sssd/sssd.conf and make the following changes:
>
> Add sudo to the "services =" line.
>
> And add lines like these to the [domain/example.com] section
>
> sudo_provider = ldap
> ldap_uri = ldap://ipa.example.com
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/hostname.example.com
> ldap_sasl_realm = EXAMPLE.COM
> krb5_server = ipa.example.com
>
> And after that sudo should work. For debugging stop the sssd service and
> run sssd with the following options:
>
> /usr/sbin/sssd -D -f -d4
>
> And then tail /var/log/sssd/sssd_example.com.log
>
> My request to the freeipa developers is to add an option to
> ipa-install-client script to support these changes. Perhaps even make it
> the default since it's so nice and useful to have.
>
>
>
> # Han
There is already https://fedorahosted.org/freeipa/ticket/3358 open which
is tracking the exact use case.
More information about the Freeipa-users
mailing list