[Freeipa-users] Is it possible to set up SUDO with redudancy?

[Bob]

List more than 1 LDAP sever in you config then.

ldap_uri, ldap_backup_uri (string)
Specifies the comma-separated list of URIs of the LDAP servers to which
SSSD should connect in the order of preference. Refer to the "FAILOVER"
section for more information on failover and server redundancy. If neither
option is specified, service discovery is enabled. For more information,
refer to the "SERVICE DISCOVERY" section.

The format of the URI must match the format defined in RFC 2732:

ldap[s]://<host>[:port]

For explicit IPv6 addresses, <host> must be enclosed in brackets []

example: ldap://[fc00::126:25]:389


On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi <
william.muriithi at gmail.com> wrote:

> Evening,
>
> After looking at almost all the SUDO documentation I could find, it looks
> one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red
> hat advice to add in sssd config file.
>
> ‎services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com]
> sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com
> ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com
> ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/
> tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM
> krb5_server = grobi.idm.coe.muc.redhat.com
>
> The implications ‎of adding above is that SUDO would break if the
> hardcoded ipa is not available even if there is another replica somewhere
> in the network. Is that correct assumption?
>
> Is there a better way of doing it that I have missed?
>
> Thanks
>
> William
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141124/b0a88b13/attachment.htm>