<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 05/13/2015 01:12 PM, Andrey Ptashnik
      wrote:<br>
    </div>
    <blockquote
      cite="mid:AF8DD2D5-07EA-4139-A95F-9EE1251ADFF3@cccis.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <div>
        <div>
          <div>Thank you everyone for your help!</div>
          <div><br>
          </div>
          <div>I found two ways to implement it in IPA server and tested
            it. So both methods work in my current setup RHEL 7.1 and
            IPA server 4.1.0. First method allows user to run default
            terminal as a target user (bash in my case). Second method
            is using SU command, but runs it as a root user. So
            depending on security preferences either one could satisfy
            admins.</div>
          <div><br>
          </div>
          <div>
            <div>===================================</div>
            <div><br>
            </div>
            <div><b>Options:</b></div>
            <div>!authenticate</div>
            <div><br>
            </div>
            <div><b>Who:</b></div>
            <div>user1</div>
            <div><br>
            </div>
            <div><b>Access this Host:</b></div>
            <div>webserver</div>
            <div><br>
            </div>
            <div><b>Run Commands:</b></div>
            <div>/usr/bin/sudo</div>
            <div>/bin/bash</div>
            <div><br>
            </div>
            <div><b>As Whom:</b></div>
            <div>oracle (external user type is oracle is created locally
              only)</div>
            <div><br>
            </div>
            <div>How is it working:</div>
            <div>[user1@webserver ~]$ <b>sudo -u oracle bash -i</b></div>
            <div>[oracle@webserver user1]$ </div>
            <div><br>
            </div>
            <div>===================================</div>
            <div><br>
            </div>
            <div><b>Options:</b></div>
            <div>!authenticate</div>
            <div><br>
            </div>
            <div><b>Who:</b></div>
            <div>user1</div>
            <div><br>
            </div>
            <div><b>Access this Host:</b></div>
            <div>webserver</div>
            <div><br>
            </div>
            <div><b>Run Commands:</b></div>
            <div>/usr/bin/sudo</div>
            <div>/bin/su - oracle</div>
            <div><br>
            </div>
            <div><b>As Whom:</b></div>
            <div>root</div>
            <div><br>
            </div>
            <div>How is it working:</div>
            <div>[user1@webserver ~]$ <b>sudo su - oracle</b></div>
            <div>Last login: Wed May 13 11:41:52 CDT 2015 on pts/0</div>
            <div>[oracle@webserver ~]$ </div>
            <div><br>
            </div>
            <div>===================================</div>
          </div>
          <div>
            <div id="">
              <div><br>
              </div>
              <div>For some reason <b>NOPASSWD:</b> option was not
                recognized correctly by IPA server. This is the output I
                was getting:</div>
              <div><br>
              </div>
              <div>
                <div>[user1@webserver ~]$ sudo su - oracle</div>
                <div>sudo: unknown defaults entry `NOPASSWD:'</div>
                <div>Last login: Tue May 12 15:00:31 CDT 2015 on pts/1</div>
                <div>Last failed login: Wed May 13 10:46:52 CDT 2015 on
                  pts/0</div>
                <div>There were 7 failed login attempts since the last
                  successful login.</div>
                <div>[oracle@webserver ~]$</div>
              </div>
              <div><br>
              </div>
              <div>Regards,</div>
              <div><br>
              </div>
              <div>Andrey Ptashnik</div>
              <div><br>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <br>
    Thank you!<br>
    Would you mind turning it into a HowTo on the freeIPA wiki?<br>
    <br>
    <br>
    <blockquote
      cite="mid:AF8DD2D5-07EA-4139-A95F-9EE1251ADFF3@cccis.com"
      type="cite">
      <div>
        <div>
          <div>
            <div id="">
              <div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <div><br>
      </div>
      <span id="OLK_SRC_BODY_SECTION">
        <div style="font-family:Calibri; font-size:12pt;
          text-align:left; color:black; BORDER-BOTTOM: medium none;
          BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
          0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
          BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
          <span style="font-weight:bold">From: </span><Gould>,
          Joshua <<a moz-do-not-send="true"
            href="mailto:Joshua.Gould@osumc.edu">Joshua.Gould@osumc.edu</a>><br>
          <span style="font-weight:bold">Date: </span>Tuesday, May 12,
          2015 at 9:41 PM<br>
          <span style="font-weight:bold">To: </span>"<a
            moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>"
          <<a moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>,
          "<a moz-do-not-send="true"
            href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>"
          <<a moz-do-not-send="true"
            href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br>
          <span style="font-weight:bold">Subject: </span>Re:
          [Freeipa-users] Allow user or group to switch user without
          password and not becoming root<br>
        </div>
        <div><br>
        </div>
        <div>
          <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
            -webkit-line-break: after-white-space; color: rgb(0, 0, 0);
            font-size: 14px; font-family: Calibri, sans-serif;">
            <div>For the NOPASSWD option, I found that using <span
                style="font-family: 'liberation mono', 'bitstream vera
                mono', 'dejavu mono', monospace; font-size: 0.9em;
                line-height: 1.29em; orphans: 2; white-space: pre-wrap;
                widows: 2; background-color: rgb(245, 245, 245);">!authenticate</span> 
              in the sudo option is what IPA wants instead.</div>
            <div><br>
            </div>
            <div>
              <pre class="screen" style="widows: 2; orphans: 2; line-height: 1.29em; font-family: 'liberation mono', 'bitstream vera mono', 'dejavu mono', monospace; border: 1px solid rgb(170, 170, 170); margin-bottom: 0.3em; padding: 0.5em 1em; white-space: pre-wrap; word-wrap: break-word; font-size: 0.9em; border-top-left-radius: 11px; border-top-right-radius: 11px; border-bottom-right-radius: 11px; border-bottom-left-radius: 11px; page-break-inside: avoid; background-color: rgb(245, 245, 245);">$ ipa sudorule-add-option readfiles
Sudo Option: !authenticate
-----------------------------------------------------
Added option "!authenticate" to Sudo rule "readfiles"
-----------------------------------------------------</pre>
            </div>
            <div><br>
            </div>
            <span id="OLK_SRC_BODY_SECTION">
              <div style="font-family:Calibri; font-size:11pt;
                text-align:left; color:black; BORDER-BOTTOM: medium
                none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
                PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
                #b5c4df 1pt solid; BORDER-RIGHT: medium none;
                PADDING-TOP: 3pt">
                <span style="font-weight:bold">From: </span>Dmitri Pal
                <<a moz-do-not-send="true"
                  href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>
                <span style="font-weight:bold">Organization: </span>Red
                Hat<br>
                <span style="font-weight:bold">Reply-To: </span>"<a
                  moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>"
                <<a moz-do-not-send="true"
                  href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>
                <span style="font-weight:bold">Date: </span>Tuesday,
                May 12, 2015 at 5:32 PM<br>
                <span style="font-weight:bold">To: </span>"<a
                  moz-do-not-send="true"
                  href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>"
                <<a moz-do-not-send="true"
                  href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br>
                <span style="font-weight:bold">Subject: </span>Re:
                [Freeipa-users] Allow user or group to switch user
                without password and not becoming root<br>
              </div>
              <div><br>
              </div>
              <div>
                <div text="#000000" bgcolor="#FFFFFF">
                  <div class="moz-cite-prefix">On 05/12/2015 04:44 PM,
                    Andrey Ptashnik wrote:<br>
                  </div>
                  <blockquote
                    cite="mid:812E1DF1-22C5-49F2-9AB4-9E2E765E1977@cccis.com"
                    type="cite">
                    <div>Hello Team,</div>
                    <div><br>
                    </div>
                    <div>We have RHEL 7.1 and IPA server 4.1.0 in our
                      environment as well as stack of Oracle software
                      that require existence of local passwordless users
                      like weblogic and oracle. </div>
                    <div>Users log in to servers via domain accounts at
                      IPA server.</div>
                    <div><br>
                    </div>
                    <div>I’m trying to configure Sudo policy in IPA
                      server that will allow users in the company to log
                      in to servers in IPA domain and switch to weblogic
                      or oracle user without having to enter any
                      passwords, but also without increasing their
                      privileges to root.</div>
                    <div>Using plain /etc/sudoers file it can be
                      accomplished something like below:</div>
                    <div><br>
                    </div>
                    <div>%users ALL = (root) </div>
                  </blockquote>
                  <br>
                  Users will be who of the IPA sudo rule<br>
                  <br>
                  <blockquote
                    cite="mid:812E1DF1-22C5-49F2-9AB4-9E2E765E1977@cccis.com"
                    type="cite">
                    <div>NOPASSWD:</div>
                  </blockquote>
                  <br>
                  This will be an option that you would put into the
                  sudo rule<br>
                  <br>
                  <blockquote
                    cite="mid:812E1DF1-22C5-49F2-9AB4-9E2E765E1977@cccis.com"
                    type="cite">
                    <div>/bin/su – oracle <br>
                    </div>
                  </blockquote>
                  <br>
                  This will be the command. You create a command and
                  then reference it in the rule.<br>
                  <br>
                  At least this is what I would try.<br>
                  <br>
                  <blockquote
                    cite="mid:812E1DF1-22C5-49F2-9AB4-9E2E765E1977@cccis.com"
                    type="cite">
                    <div><br>
                    </div>
                    <div>How can I configure this behavior in IPA
                      server?</div>
                    <div><br>
                    </div>
                    <div>
                      <div id="">
                        <div>Regards,</div>
                        <div><br>
                        </div>
                        <div>Andrey</div>
                        <div><br>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset class="mimeAttachmentHeader"></fieldset>
                    <br>
                  </blockquote>
                  <br>
                  <br>
                  <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.</pre>
                </div>
              </div>
            </span></div>
        </div>
      </span>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>