[Freeipa-users] [Feature request] Adding support for sudo to ipa-client-install

Jakub Hrozek jhrozek at redhat.com
Thu Feb 21 14:11:21 UTC 2013


On Thu, Feb 21, 2013 at 03:07:10PM +0100, Han Boetes wrote:
> This is what you have to do to enable sudo support while using freeipa: I
> got it all from
> sssd-sudo(5).
> 
>   # yum install libsss_sudo
> 
> Add this line to /etc/nsswitch.conf
> 
>   sudoers: files sss
> 
> Edit /etc/sssd/sssd.conf and make the following changes:
> 
> Add sudo to the "services =" line.
> 
> And add lines  like these to the [domain/example.com] section
> 
>            sudo_provider = ldap
>            ldap_uri = ldap://ipa.example.com
>            ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
>            ldap_sasl_mech = GSSAPI
>            ldap_sasl_authid = host/hostname.example.com
>            ldap_sasl_realm = EXAMPLE.COM
>            krb5_server = ipa.example.com
> 
> And after that sudo should work. For debugging stop the sssd service and
> run sssd with the following options:
> 
> /usr/sbin/sssd -D -f -d4
> 
> And then tail /var/log/sssd/sssd_example.com.log
> 
> My request to the freeipa developers is to add an option to
> ipa-install-client script to support these changes. Perhaps even make it
> the default since it's so nice and useful to have.
> 
> 
> 
> # Han

There is already https://fedorahosted.org/freeipa/ticket/3358 open which
is tracking the exact use case.




More information about the Freeipa-users mailing list