[Freeipa-users] freeipa and sudo

Dean Hunter deanhunter at comcast.net
Mon Sep 9 17:32:10 UTC 2013 

On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: 

> On 09/08/2013 01:35 AM, Dmitri Pal wrote:
> > On 09/07/2013 02:11 PM, Christian Horn wrote:
> >> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> >>> Are [1] and[2] still the current and best sources of information for
> >>> configuring sudo for use with the current release of FreeIPA on Fedora
> >>> 19?
> >>>
> >>> 1.
> >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> >>> 2.
> >>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> >> There is also the Identity_Management_Guide as part of the RHEL
> >> product documentation:
> >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
> > This and the pdf above are the latest word in this area.
> 
> Hi,
> those documents describes configuration for SSSD 1.9. Although it is 
> still valid, we have simplified configuration for IPA provider in 1.10.
> 
> The most up to date document for your version of SSSD is always man 
> sssd-sudo.
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Thank you.  Please verify that I have correctly understood your note.
Your slides from 12-20-2012 applied to SSSD 1.9 and included a reference
to the manual pages, which I now understand, as well as this example
configuration:

        sudo_provider = ldap
        ldap_uri = ldap://ipa.example.com
        ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
        ldap_sasl_mech = GSSAPI
        ldap_sasl_authid = host/hostname.example.com
        ldap_sasl_realm = EXAMPLE.COM
        krb5_server = ipa.example.com

I have used this configuration with good results.  However, reading "man
sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:

        When the SSSD is configured to use the IPA provider, the sudo
        provider
        is automatically enabled. The sudo search base is configured to
        use the
        compat tree (ou=sudoers,$DC).

May I suggest that you change "IPA provider" to "IPA as the ID
provider"?  There are a number of providers identified in sssd.conf and
most of them are configured to use IPA.

Testing shows that the only change now required to sssd.conf is the
addition of sudo to the services list in the sssd section [sssd]:

        services = autofs, nss, pam, ssh, sudo

Add to this the one line change in nsswitch.conf

        sudoers:    files sss

and I am done.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130909/809aedf6/attachment.htm>

More information about the Freeipa-users mailing list