[Freeipa-users] freeipa and sudo

Pavel Březina pbrezina at redhat.com
Wed Sep 11 09:38:05 UTC 2013 

On 09/11/2013 11:21 AM, Pavel Březina wrote:
> On 09/09/2013 07:32 PM, Dean Hunter wrote:
>>
>> On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:
>>> On 09/08/2013 01:35 AM, Dmitri Pal wrote:
>>>> On 09/07/2013 02:11 PM, Christian Horn wrote:
>>>>> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
>>>>>> Are [1] and[2] still the current and best sources of
>>>>>> information for configuring sudo for use with the current
>>>>>> release of FreeIPA on Fedora 19?
>>>>>>
>>>>>> 1.
>>>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
>>>>>>
>>>
>>>>>>
>>>> 2.
>>>>>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>>>>>>
>>>
>>>>>>
>>> There is also the Identity_Management_Guide as part of the RHEL
>>>>> product documentation:
>>>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
>>>>>
>>>
>>>>>
>> This and the pdf above are the latest word in this area.
>>>
>>> Hi, those documents describes configuration for SSSD 1.9. Although
>>> it is still valid, we have simplified configuration for IPA
>>> provider in 1.10.
>>>
>>> The most up to date document for your version of SSSD is always
>>> man sssd-sudo.
>>>
>>> _______________________________________________ Freeipa-users
>>> mailing list Freeipa-users at redhat.com
>>> <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Thank you.  Please verify that I have correctly understood your note.
>>  Your slides from 12-20-2012 applied to SSSD 1.9 and included a
>> reference to the manual pages, which I now understand, as well as
>> this example configuration:
>>
>> sudo_provider = ldap ldap_uri = ldap://ipa.example.com
>> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech =
>> GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm =
>> EXAMPLE.COM krb5_server = ipa.example.com
>>
>> I have used this configuration with good results.  However, reading
>> "man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:
>>
>> When the SSSD is configured to use the IPA provider, the sudo
>> provider is automatically enabled. The sudo search base is configured
>> to use the compat tree (ou=sudoers,$DC).
>
> I forgot that the configuration was simplified also in 1.9. You can just
> stick with contents of sssd-sudo. I.e. you only need to put sudo to
> "services" (there's an RFE to do it automatically by ipa-client-install)
> and "sudoers: files sss" to /etc/nsswitch.conf
>
>> May I suggest that you change "IPA provider" to "IPA as the ID
>> provider"?  There are a number of providers identified in sssd.conf
>> and most of them are configured to use IPA.
>
> This is a valid point, thanks.

https://fedorahosted.org/sssd/ticket/2085

>
>>
>> Testing shows that the only change now required to sssd.conf is the
>> addition of sudo to the services list in the sssd section [sssd]:
>>
>> services = autofs, nss, pam, ssh, sudo
>>
>> Add to this the one line change in nsswitch.conf
>>
>> sudoers:    files sss
>>
>> and I am done.
>
> Correct.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list