[Freeipa-users] Configure IPA 3.1.5 client for sudo?
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 25 20:39:12 UTC 2013
On Tue, Jun 25, 2013 at 08:56:55AM -0500, Dean Hunter wrote:
> Yay, It works! Once I thumb finger the configuration files correctly.
>
> May I request that y'all start alphabetizing entries where sequence is
> not important so that it is easier for humans to find a single entry:
>
> [dean at desktop ~]$ sudo cat /etc/sssd/sssd.conf
> [sudo] password for dean:
> [sssd]
> config_file_version = 2
> domains = hunter.org
> services = autofs, nss, pam, ssh, sudo
>
> [domain/hunter.org]
> access_provider = ipa
> auth_provider = ipa
> autofs_provider = ipa
> cache_credentials = True
> chpass_provider = ipa
> id_provider = ipa
> ipa_automount_location = VM
> ipa_domain = hunter.org
> ipa_dyndns_update = True
> ipa_hostname = desktop.hunter.org
> ipa_server = _srv_, ipa.hunter.org
> krb5_store_password_if_offline = True
> ldap_tls_cacert = /etc/ipa/ca.crt
>
The above is fairly generic (and correct) IPA provider configuration as
produced by ipa-client-install...
> # For the SUDO integration
> krb5_server = ipa.hunter.org
> ldap_sasl_authid = host/desktop.hunter.org
> ldap_sasl_mech = GSSAPI
> ldap_sasl_realm = HUNTER.ORG
> ldap_sudo_search_base = ou=sudoers,dc=hunter,dc=org
> ldap_uri = ldap://ipa.hunter.org
> sudo_provider = ldap
..and the section above is a workaround to make SSSD prior to 1.10 download
the sudo rules from IPA correctly. You won't be needing that part starting
with SSSD 1.10 as we made that the default for "sudo_provider = ipa".
I'm glad the sudo integration works for you now!
More information about the Freeipa-users
mailing list