[Freeipa-users] FreeIPA + Foreman 1.5
Jakub Hrozek
jhrozek at redhat.com
Mon Apr 28 08:55:16 UTC 2014
On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote:
> ----- Original Message -----
> > From: "Jan Cholasta" <jcholast at redhat.com>
> > To: "Martin Kosek" <mkosek at redhat.com>, dpal at redhat.com, "Stephen Benjamin" <stbenjam at redhat.com>
> > Cc: freeipa-users at redhat.com
> > Sent: Friday, April 25, 2014 9:44:37 AM
> > Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>
> > AFAIK you can use ldap sudo provider with IPA, see e.g.
> > <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
>
> I got this working, and seems to work across recent Fedora releases too.
> This at least removes the requirement on using the old bind password
> method. Thanks!
In recent Fedora releases, where the IPA sudo provider is available, the
"legacy" LDAP provider should not be used. There might be problems with
enumeration for instance when combining two different providers.
>
> Is there a way for sssd to use _srv_ for the krb5_server line?
Yes, it should just work.
>
> Here's an updated Kickstart snippet:
> https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
>
> If we know what the Syntax will be for sudo (or will it be default
> in 4.0?), then I can include the logic already not to do it manually.
Sorry, I'm not sure I understand the question? With recent enough
clients (6.6+, 7.0+, any supported Fedora) you should use
sudo_provider=ipa, with older ones you should use sudo_provider=ldap
More information about the Freeipa-users
mailing list