[Freeipa-users] freeipa and sudo

Pavel Březina pbrezina at redhat.com
Wed Sep 11 09:21:51 UTC 2013 

On 09/09/2013 07:32 PM, Dean Hunter wrote:
>
> On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:
>> On 09/08/2013 01:35 AM, Dmitri Pal wrote:
>>> On 09/07/2013 02:11 PM, Christian Horn wrote:
>>>> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
>>>>> Are [1] and[2] still the current and best sources of
>>>>> information for configuring sudo for use with the current
>>>>> release of FreeIPA on Fedora 19?
>>>>>
>>>>> 1.
>>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
>>
>>>>>
>>> 2.
>>>>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>>
>>>>>
>> There is also the Identity_Management_Guide as part of the RHEL
>>>> product documentation:
>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
>>
>>>>
> This and the pdf above are the latest word in this area.
>>
>> Hi, those documents describes configuration for SSSD 1.9. Although
>> it is still valid, we have simplified configuration for IPA
>> provider in 1.10.
>>
>> The most up to date document for your version of SSSD is always
>> man sssd-sudo.
>>
>> _______________________________________________ Freeipa-users
>> mailing list Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Thank you.  Please verify that I have correctly understood your note.
>  Your slides from 12-20-2012 applied to SSSD 1.9 and included a
> reference to the manual pages, which I now understand, as well as
> this example configuration:
>
> sudo_provider = ldap ldap_uri = ldap://ipa.example.com
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech =
> GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm =
> EXAMPLE.COM krb5_server = ipa.example.com
>
> I have used this configuration with good results.  However, reading
> "man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:
>
> When the SSSD is configured to use the IPA provider, the sudo
> provider is automatically enabled. The sudo search base is configured
> to use the compat tree (ou=sudoers,$DC).

I forgot that the configuration was simplified also in 1.9. You can just
stick with contents of sssd-sudo. I.e. you only need to put sudo to
"services" (there's an RFE to do it automatically by ipa-client-install)
and "sudoers: files sss" to /etc/nsswitch.conf

> May I suggest that you change "IPA provider" to "IPA as the ID
> provider"?  There are a number of providers identified in sssd.conf
> and most of them are configured to use IPA.

This is a valid point, thanks.

>
> Testing shows that the only change now required to sssd.conf is the
> addition of sudo to the services list in the sssd section [sssd]:
>
> services = autofs, nss, pam, ssh, sudo
>
> Add to this the one line change in nsswitch.conf
>
> sudoers:    files sss
>
> and I am done.

Correct.

More information about the Freeipa-users mailing list