[Freeipa-users] RES: FreeIPA integration with AIX and sudo

Dmitri Pal dpal at redhat.com
Thu Apr 2 13:22:41 UTC 2015 

On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote:
>
> Hi Yves.
>
> First a little background information regarding sudo on AIX: Most sudo 
> packages compiled for AIX are _/NOT/_ compiled with LDAP support.
>
> Although sudo's documentation states that sudo supports different LDAP 
> implementations, other than OpenLDAP, I suppose it doesn't work well 
> with AIX's LDAP fileset.
>
> That's my guess why most sudo packages for AIX aren't compiled with 
> LDAP support. [BTW, you can check this by running, as root, sudo -V| 
> grep -i ldap].
>
> The good news is that Michel Perzl, has successfully compiled a sudo 
> package with LDAP support, although its compiled against OpenLDAP and 
> not AIX's LDAP fileset.
>
> So, here is how I did it:
>
> (1) Go to http://www.perzl.org/aix/ <http://www.perzl.org/aix/> and 
> download the following RPM packages on their latest versions:
>
> ·sudo >= 1.8.11
>
> ·gettext >= 0.10.40
>
> ·openldap >= 2.4.23
>
> ·openssl >= 1.0.1j-1
>
> ·zlib
>
> Make sure you don't have the sudo fileset installed or another sudo 
> rpm package.
>
> Don't worry about openssl from this RPM package conflicting with the 
> OpenSSL fileset from AIX, they won't.
>
> Don't worry about openldap from this RPM package conflicting with the 
> ldap fileset from AIX, they won't.
>
> (2) Upload the rpm packages to you AIX LPAR and put them all in a 
> directory, I used /tmp/sudopack. [From here on I assume you are root 
> on your LPAR].
>
> (3) From the directory where you put your packages run a "rpm -ivh 
> *.rpm --test" and if all goes well proceed without the "--test", 
> otherwise sort out the dependencies and conflicts like the grown man 
> you are :).
>
> (4) Once the rpms are installed, add the following line to the bottom 
> of your /etc/netsvc.conf file: sudoers = files, ldap
>
> I know this is not expected syntax according to IBM's netsvc.conf 
> documentation, but sudo requires it to work with ldap. According to 
> sudo's documentation it uses that line on netsvc.conf to emulate what 
> sudo would expect to find on /etc/nsswitch.conf on a Linux machine 
> [hack much?].
>
> (5) Create a file called /etc/ldap.conf . This has nothing to do with 
> the /etc/security/ldap/ldap.cfg file you use to configure AIX's LDAP, 
> this is OpenLdap's config only used by sudo. Don't worry, this won't 
> conflict with AIX's LDAP functionality.
>
> Add this to your /etc/ldap.conf:
>
> tls_cacert /etc/ipa/ca.crt
>
> uri ldap://youripaserver.domain.com
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com
>
> bindpw yourclientpassword
>
> sudoers_base ou=sudoers,dc=domain,dc=com
>
> (6) Create a directory called /etc/ipa and download your ca 
> certificate file and place it there. Make sure to permission the 
> directory 755 and the ca.crt file 644.
>
> (7) And that's pretty much it, no need to edit a single line on 
> /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that 
> comes with the rpm, unchanged.
>
> Log into your LPAR with a domain user and try running "sudo -l", it 
> should output the sudo rules you set on the IPA server.
>
> I hope this helps you and other AIX client users out there.
>

Would you mind creating a howto page on the IPA wiki?

> Atenciosamente/Best Regards
>
> *__________________________________________*
>
> *Luiz Fernando Vianna da Silva*
>
> ITM-I - Operação Cielo
>
> +55 (11) 3626-7126
>
> luiz.vianna at tivit.com.br <mailto:luiz.vianna at tivit.com.br>
>
> *T I V I T
> **
> *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar
>
> São Paulo - SP - CEP 05804-900
>
> www.tivit.com.br <http://www.tivit.com.br/>
>
> Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu 
> conteúdo é restrito ao destinatário da mensagem. Caso você a tenha 
> recebido por engano, queira, por favor, retorná-la ao destinatário e 
> apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou 
> disseminação desta mensagem ou parte dela é expressamente proibido. A 
> TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta 
> informação.
>
> *De:*Yves Degauquier [mailto:yves at degauquier.net]
> *Enviada em:* quarta-feira, 1 de abril de 2015 14:03
> *Para:* Luiz Fernando Vianna da Silva
> *Assunto:* Re: [Freeipa-users] FreeIPA integration with AIX and sudo
>
> Hi Luiz,
>
> I was not able to make it running, I was a bit lost with the LDAP, 
> PAM, LAM configuration, and didn't found any idea with Google...
>
> If you can share the solution or point me to some important point to 
> do, I will be happy.
>
> Thanks in advance,
>
> Best regards,
>
> Yves
>
> On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote:
>
>     Hello Yves.
>
>     I was browsing the mailing list archives and found your email from
>     December 2013
>     (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html).
>
>     I have successfully found a way to have sudo on AIX work with the
>     sudo rules on IPA, just like Linux clients.
>
>     Give me a reply if you haven't figured out a way to make this work
>     and I'll send you the solution I came up with.
>
>     Atenciosamente/Best Regards
>
>     *__________________________________________*
>
>     *Luiz Fernando Vianna da Silva*
>
>     ITM-I - Operação Cielo
>
>     +55 (11) 3626-7126
>
>     luiz.vianna at tivit.com.br <mailto:luiz.vianna at tivit.com.br>
>
>     *T I V I T
>     **
>     *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar
>
>     São Paulo - SP - CEP 05804-900
>
>     www.tivit.com.br <http://www.tivit.com.br/>
>
>     Esta mensagem, incluindo seus anexos, tem caráter confidencial e
>     seu conteúdo é restrito ao destinatário da mensagem. Caso você a
>     tenha recebido por engano, queira, por favor, retorná-la ao
>     destinatário e apagá-la de seus arquivos. Qualquer uso não
>     autorizado, replicação ou disseminação desta mensagem ou parte
>     dela é expressamente proibido. A TIVIT não se responsabilizará
>     pelo conteúdo ou pela veracidade desta informação.
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150402/8dd89a35/attachment.htm>

More information about the Freeipa-users mailing list