[Freeipa-users] Is it possible to set up SUDO with redudancy

William Muriithi william.muriithi at gmail.com
Wed Nov 26 00:49:38 UTC 2014



‎

List more than 1 LDAP sever in you config then.

ldap_uri, ldap_backup_uri (string)
Specifies the comma-separated list of URIs of the LDAP servers to which
SSSD should connect in the order of preference. Refer to the "FAILOVER"
section for more information on failover and server redundancy. If neither
option is specified, service discovery is enabled. For more information,
refer to the "SERVICE DISCOVERY" section.

The format of the URI must match the format defined in RFC 2732:

ldap[s]://<host>[:port]

For explicit IPv6 addresses, <host> must be enclosed in brackets []

example: ldap://[fc00::126:25]:389

-------------------------

Ah, thanks. Now Google is helpful when I try the 'failover' keywords. See it in mailing list but not on docs

Thank you.

William 





On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi <
william.muriithi at gmail.com> wrote:

> Evening,
>
> After looking at almost all the SUDO documentation I could find, it looks
> one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red
> hat advice to add in sssd config file.
>
> ?services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com]
> sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com
> ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com
> ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/
> tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM
> krb5_server = grobi.idm.coe.muc.redhat.com
>
> The implications ?of adding above is that SUDO would break if the
> hardcoded ipa is not available even if there is another replica somewhere
> in the network. Is that correct assumption?
>
> Is there a better way of doing it that I have missed?
>
> Thanks
>
> William
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/freeipa-users/attachments/20141124/b0a88b13/attachment.html>

------------------------------

Message: 2
Date: Tue, 25 Nov 2014 14:43:28 +1000
From: Fraser Tweedale <ftweedal at redhat.com>
To: Rob Crittenden <rcritten at redhat.com>
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] curious about monkeysphere
Message-ID: <20141125044328.GA8412 at dhcp-40-8.bne.redhat.com>
Content-Type: text/plain; charset=utf-8

On Mon, Nov 24, 2014 at 11:04:50AM -0500, Rob Crittenden wrote:
> Outback Dingo wrote:
> > ??Im curious about monkeysphere http://web.monkeysphere.info/ and how
> > it might compare, integrate, enhance freeipa ..... any thoughts, or
> > ideas, or is what it does basically already covered via freeipa?
> > 
> > 
> 
> There does seem to be a fair bit of overlap with the SSH key
> distribituion/validation.
> 
> We attempt CA fetching in a similar way, by using a trusted mechanism to
> fetch it. We use Kerberos when available.
> 
> rob
> 
The projects have very different goals - Monkeysphere is
web-of-trust whereas FreeIPA uses centralised authentication and a
chain-of-trust PKI - so I do not see much scope for direct
integration.

Rob's point about some of the underlying mechanisms being similar is
accurate - a cross-pollination of ideas or implementations could
reduce overall effort.

Fraser



------------------------------

Message: 3
Date: Tue, 25 Nov 2014 08:07:46 +0100
From: Martin Kosek <mkosek at redhat.com>
To: Rolf Nufable <rolf_16_nufable at yahoo.com>,
"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Don't know what To do with this (error??
)
Message-ID: <54742AC2.3060002 at redhat.com>
Content-Type: text/plain; charset=utf-8

On 11/25/2014 03:07 AM, Rolf Nufable wrote:
> Goodmorning 
> So I've solved my Time error (I think) in my fedora 20, but even though I'm having the correct time and configured the browser for kerberos authentication I still can't log in my admin account in the web UI 
> is there a work around for this?? 

Well, you can log in with your user name and password if GSSAPI does not work.
Or is that part also not working? If this is the case, I would suggest to:

- check that ipa_memcached service is running
- check that there are no SELinux errors in audit.log (or just try in SELinux
permissive mode)

If user+password login works and GSSAPI does not, make sure that after you
fixed the time on your FreeIPA server, you also have time synchronized on your
machine with the browser - so that there is not time difference bigger that a
1-2 minutes.

> plus I can't find any solutions online on this matter, so I'm really confused on why this is happening in my free ipa :< 
> TIA : )



------------------------------

Message: 4
Date: Mon, 24 Nov 2014 23:12:23 -0800
From: Rolf Nufable <rolf_16_nufable at yahoo.com>
To: Martin Kosek <mkosek at redhat.com>, "freeipa-users at redhat.com"
<freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Don't know what To do with this (error??
)
Message-ID:
<1416899543.9132.YahooMailAndroidMobile at web161606.mail.bf1.yahoo.com>
Content-Type: text/plain; charset="us-ascii"

Well I tried to kinit the admin account and then reboot the server.. then after that it worked, admin account could then log in the ipa web ui.. but does this mean that everytime I want to log in to the UI i need to kinit manually?

Sent from Yahoo Mail on Android

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/freeipa-users/attachments/20141124/9e462a63/attachment.html>

------------------------------

Message: 5
Date: Tue, 25 Nov 2014 08:55:04 +0100
From: Martin Kosek <mkosek at redhat.com>
To: Rolf Nufable <rolf_16_nufable at yahoo.com>,
"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Don't know what To do with this (error??
)
Message-ID: <547435D8.3080400 at redhat.com>
Content-Type: text/plain; charset=windows-1252

On 11/25/2014 08:12 AM, Rolf Nufable wrote:
> Well I tried to kinit the admin account and then reboot the server.. then after that it worked, admin account could then log in the ipa web ui.. but does this mean that everytime I want to log in to the UI i need to kinit manually?
> 
> Sent from Yahoo Mail on Android

Well, you need to have a ticket on your client machine (the one with the
browser) to be able to authenticate via Kerberos. You can check that with

# klist

To get the ticket, you can either run the kinit manually as you said or let
SSSD to get it for you as you authenticate/login to your client machine. AFAIK,
this is default behavior.

Martin



------------------------------

Message: 6
Date: Tue, 25 Nov 2014 07:59:27 +0000 (UTC)
From: Rolf Nufable <rolf_16_nufable at yahoo.com>
To: Martin Kosek <mkosek at redhat.com>, "freeipa-users at redhat.com"
<freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Don't know what To do with this (error??
)
Message-ID:
<1156877372.623540.1416902367456.JavaMail.yahoo at jws10635.mail.bf1.yahoo.com>

Content-Type: text/plain; charset="utf-8"

ohh sorry I didn't said that I was using the freeipa server on this problem, anyway thanks for the replies :) and before?
Thanks, really appreciate it :D 

On Monday, November 24, 2014 11:55 PM, Martin Kosek <mkosek at redhat.com> wrote:


On 11/25/2014 08:12 AM, Rolf Nufable wrote:
> Well I tried to kinit the admin account and then reboot the server.. then after that it worked, admin account could then log in the ipa web ui.. but does this mean that everytime I want to log in to the UI i need to kinit manually?
> 
> Sent from Yahoo Mail on Android

Well, you need to have a ticket on your client machine (the one with the
browser) to be able to authenticate via Kerberos. You can check that with

# klist

To get the ticket, you can either run the kinit manually as you said or let
SSSD to get it for you as you authenticate/login to your client machine. AFAIK,
this is default behavior.

Martin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/freeipa-users/attachments/20141125/bdd3495e/attachment.html>

------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

End of Freeipa-users Digest, Vol 76, Issue 110
**********************************************




More information about the Freeipa-users mailing list