[Freeipa-users] RES: FreeIPA integration with AIX and sudo
Dmitri Pal
dpal at redhat.com
Thu Apr 2 13:22:41 UTC 2015
On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote:
>
> Hi Yves.
>
> First a little background information regarding sudo on AIX: Most sudo
> packages compiled for AIX are _/NOT/_ compiled with LDAP support.
>
> Although sudo's documentation states that sudo supports different LDAP
> implementations, other than OpenLDAP, I suppose it doesn't work well
> with AIX's LDAP fileset.
>
> That's my guess why most sudo packages for AIX aren't compiled with
> LDAP support. [BTW, you can check this by running, as root, sudo -V|
> grep -i ldap].
>
> The good news is that Michel Perzl, has successfully compiled a sudo
> package with LDAP support, although its compiled against OpenLDAP and
> not AIX's LDAP fileset.
>
> So, here is how I did it:
>
> (1) Go to http://www.perzl.org/aix/ <http://www.perzl.org/aix/> and
> download the following RPM packages on their latest versions:
>
> ·sudo >= 1.8.11
>
> ·gettext >= 0.10.40
>
> ·openldap >= 2.4.23
>
> ·openssl >= 1.0.1j-1
>
> ·zlib
>
> Make sure you don't have the sudo fileset installed or another sudo
> rpm package.
>
> Don't worry about openssl from this RPM package conflicting with the
> OpenSSL fileset from AIX, they won't.
>
> Don't worry about openldap from this RPM package conflicting with the
> ldap fileset from AIX, they won't.
>
> (2) Upload the rpm packages to you AIX LPAR and put them all in a
> directory, I used /tmp/sudopack. [From here on I assume you are root
> on your LPAR].
>
> (3) From the directory where you put your packages run a "rpm -ivh
> *.rpm --test" and if all goes well proceed without the "--test",
> otherwise sort out the dependencies and conflicts like the grown man
> you are :).
>
> (4) Once the rpms are installed, add the following line to the bottom
> of your /etc/netsvc.conf file: sudoers = files, ldap
>
> I know this is not expected syntax according to IBM's netsvc.conf
> documentation, but sudo requires it to work with ldap. According to
> sudo's documentation it uses that line on netsvc.conf to emulate what
> sudo would expect to find on /etc/nsswitch.conf on a Linux machine
> [hack much?].
>
> (5) Create a file called /etc/ldap.conf . This has nothing to do with
> the /etc/security/ldap/ldap.cfg file you use to configure AIX's LDAP,
> this is OpenLdap's config only used by sudo. Don't worry, this won't
> conflict with AIX's LDAP functionality.
>
> Add this to your /etc/ldap.conf:
>
> tls_cacert /etc/ipa/ca.crt
>
> uri ldap://youripaserver.domain.com
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com
>
> bindpw yourclientpassword
>
> sudoers_base ou=sudoers,dc=domain,dc=com
>
> (6) Create a directory called /etc/ipa and download your ca
> certificate file and place it there. Make sure to permission the
> directory 755 and the ca.crt file 644.
>
> (7) And that's pretty much it, no need to edit a single line on
> /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that
> comes with the rpm, unchanged.
>
> Log into your LPAR with a domain user and try running "sudo -l", it
> should output the sudo rules you set on the IPA server.
>
> I hope this helps you and other AIX client users out there.
>
Would you mind creating a howto page on the IPA wiki?
> Atenciosamente/Best Regards
>
> *__________________________________________*
>
> *Luiz Fernando Vianna da Silva*
>
> ITM-I - Operação Cielo
>
> +55 (11) 3626-7126
>
> luiz.vianna at tivit.com.br <mailto:luiz.vianna at tivit.com.br>
>
> *T I V I T
> **
> *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar
>
> São Paulo - SP - CEP 05804-900
>
> www.tivit.com.br <http://www.tivit.com.br/>
>
> Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu
> conteúdo é restrito ao destinatário da mensagem. Caso você a tenha
> recebido por engano, queira, por favor, retorná-la ao destinatário e
> apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou
> disseminação desta mensagem ou parte dela é expressamente proibido. A
> TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta
> informação.
>
> *De:*Yves Degauquier [mailto:yves at degauquier.net]
> *Enviada em:* quarta-feira, 1 de abril de 2015 14:03
> *Para:* Luiz Fernando Vianna da Silva
> *Assunto:* Re: [Freeipa-users] FreeIPA integration with AIX and sudo
>
> Hi Luiz,
>
> I was not able to make it running, I was a bit lost with the LDAP,
> PAM, LAM configuration, and didn't found any idea with Google...
>
> If you can share the solution or point me to some important point to
> do, I will be happy.
>
> Thanks in advance,
>
> Best regards,
>
> Yves
>
> On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote:
>
> Hello Yves.
>
> I was browsing the mailing list archives and found your email from
> December 2013
> (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html).
>
> I have successfully found a way to have sudo on AIX work with the
> sudo rules on IPA, just like Linux clients.
>
> Give me a reply if you haven't figured out a way to make this work
> and I'll send you the solution I came up with.
>
> Atenciosamente/Best Regards
>
> *__________________________________________*
>
> *Luiz Fernando Vianna da Silva*
>
> ITM-I - Operação Cielo
>
> +55 (11) 3626-7126
>
> luiz.vianna at tivit.com.br <mailto:luiz.vianna at tivit.com.br>
>
> *T I V I T
> **
> *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar
>
> São Paulo - SP - CEP 05804-900
>
> www.tivit.com.br <http://www.tivit.com.br/>
>
> Esta mensagem, incluindo seus anexos, tem caráter confidencial e
> seu conteúdo é restrito ao destinatário da mensagem. Caso você a
> tenha recebido por engano, queira, por favor, retorná-la ao
> destinatário e apagá-la de seus arquivos. Qualquer uso não
> autorizado, replicação ou disseminação desta mensagem ou parte
> dela é expressamente proibido. A TIVIT não se responsabilizará
> pelo conteúdo ou pela veracidade desta informação.
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150402/8dd89a35/attachment.htm>
More information about the Freeipa-users
mailing list