<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I have a few issues with sudo rules(FreeIPA 4.1.4-4 on Fedora 22)
that I would greatly appreciate some help with. The core of the
issue is that sudo rules fail to work when using ldap instead of ipa
when you assign user groups and host groups to the sudo rule in
place of explicitly adding users and hosts to the sudo rule. The
reason for needing to use ldap over ipa is due to the organization
requiring 2fa for all users via OTP tokens. We have a mix of cent 5
to 7 systems, not all can be immediately upgraded, so with cent 5
and 6 nodes ldap must be used instead of ipa to support 2fa.
<br>
Explicitly assigning users and hosts to sudo rules is also
unmanageable, the organization has hundreds of employees and
multiple thousands of servers. Utilizing the host and user groups is
a must.
<br>
<br>
On cent 7 the default sssd.conf generated by FreeIPA works, 2fa
works by default and the sssd.conf is using the ipa directives as
well to parse user and host groups on sudo rules. Everything here
works as expected.
<br>
<br>
In cent 6 to allow 2fa to work the conf has to be updated to use
ldap instead of ipa. In the process this seems to break the ability
to search user and host groups on sudo rules. Users and hosts
explicitly defined for the sudo rules still work so the clients can
see the rules, they just do not seem to want to look within the
groups that may be assigned to the rules. I moved the original
sssd.conf created by FreeIPA using the ipa directives and sudo works
as expected, but 2fa is not possible like this.
<br>
<br>
Cent 5 is entirely incapable of using the sudo rules with user and
host groups since sudo lacks sssd support in cent 5 and depends on
/etc/ldap.conf to work. However like cent 6, users and hosts
explicitly defined for the sudo rules still work, so I presume
fixing the sudo rules with cent 6 on ldap would fix them here as
well.
<br>
<br>
Can anyone else confirm this behavior, and if so can anyone suggest
any possible fixes or workarounds? I have attached the modified
Cent6 and Cent 5 configs for sssd and ldap inline below(first time
mailing, if inline is not ok please let me know what is preferable
for future reference). Currently testing using the following
versions:
<br>
CentOS Linux release 7.1.1503 (Core)
<br>
CentOS release 6.7 (Final)
<br>
CentOS release 5.11 (Final)
<br>
<br>
Cent 6 /etc/sssd/sssd.conf:
<br>
<br>
#SSSD client configuration file.
<br>
[domain/domain]
<br>
id_provider = ldap
<br>
auth_provider = ldap
<br>
chpass_provider = ldap
<br>
autofs_provider = ldap
<br>
sudo_provider = ldap
<br>
<br>
binddn = <binddn>
<br>
bindpw = <bindpw>
<br>
scope = sub
<br>
sudoers_base = ou=SUDOers,dc=<domain>,dc=com
<br>
tls_cacertfile = /etc/ipa/ca.crt
<br>
tls_checkpeer = yes
<br>
tls_reqcert = demand
<br>
ssl = start_tls
<br>
<br>
ldap_schema = rfc2307bis
<br>
ldap_uri = <span class="moz-txt-underscore"><span
class="moz-txt-tag">_</span>srv<span class="moz-txt-tag">_</span></span>,<span
class="moz-txt-link-freetext"><a class="moz-txt-link-freetext" href="ldap://">ldap://</a></span><server>.<domain>:389
<br>
ldap_search_base = dc=<domain>,dc=com
<br>
ldap_user_search_base =
cn=users,cn=accounts,dc=<domain>,dc=com
<br>
ldap_group_search_base =
cn=groups,cn=accounts,dc=<domain>,dc=com
<br>
ldap_sudo_search_base = ou=SUDOers,dc=<domain>,dc=com
<br>
<br>
enumerate = True
<br>
cache_credentials = True
<br>
<br>
ldap_tls_cacertdir = <i class="moz-txt-slash"><span
class="moz-txt-tag">/</span>etc/ipa<span class="moz-txt-tag">/</span></i>
<br>
ldap_tls_cacert = /etc/ipa/ca.crt
<br>
ldap_tls_reqcert = demand
<br>
ldap_id_use_start_tls = True
<br>
<br>
krb5_realm = <DOMAIN>
<br>
<br>
[sssd]
<br>
services = nss, sudo, pam, ssh, autofs
<br>
config_file_version = 2
<br>
domains = domain
<br>
<br>
[nss]
<br>
homedir_substring = /home
<br>
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
<br>
<br>
[pam]
<br>
<br>
[sudo]
<br>
<br>
[autofs]
<br>
<br>
[ssh]
<br>
<br>
[pac]
<br>
<br>
[ifp]
<br>
<br>
<br>
Cent 5 /etc/sssd/sssd.conf:
<br>
<br>
#SSSD client configuration file.
<br>
[domain/domain]
<br>
id_provider = ldap
<br>
auth_provider = ldap
<br>
chpass_provider = ldap
<br>
autofs_provider = ldap
<br>
<br>
ldap_schema = rfc2307bis
<br>
ldap_uri = <span class="moz-txt-underscore"><span
class="moz-txt-tag">_</span>srv<span class="moz-txt-tag">_</span></span>,<span
class="moz-txt-link-freetext"><a class="moz-txt-link-freetext" href="ldap://">ldap://</a></span><server>.<domain>:389
<br>
ldap_search_base = dc=<domain>,dc=com
<br>
ldap_user_search_base =
cn=users,cn=accounts,dc=<domain>,dc=com
<br>
ldap_group_search_base =
cn=groups,cn=accounts,dc=<domain>,dc=com
<br>
<br>
enumerate = True
<br>
cache_credentials = True
<br>
<br>
ldap_tls_cacertdir = <i class="moz-txt-slash"><span
class="moz-txt-tag">/</span>etc/ipa<span class="moz-txt-tag">/</span></i>
<br>
ldap_tls_cacert = /etc/ipa/ca.crt
<br>
ldap_tls_reqcert = demand
<br>
ldap_id_use_start_tls = True
<br>
<br>
krb5_realm = <DOMAIN>
<br>
<br>
[sssd]
<br>
services = nss, pam
<br>
config_file_version = 2
<br>
domains = domain
<br>
<br>
[nss]
<br>
homedir_substring = /home
<br>
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
<br>
<br>
[pam]
<br>
<br>
<br>
Cent 5 /etc/ldap.conf:
<br>
<br>
#LDAP client configuration file.
<br>
uri <span class="moz-txt-link-freetext"><a class="moz-txt-link-freetext" href="ldap://">ldap://</a></span><server>.<domain>:389
<br>
base dc=<domain>,dc=com
<br>
ldap_version 3
<br>
<br>
tls_cacertfile /etc/ipa/ca.crt
<br>
tls_checkpeer yes
<br>
ssl start_tls
<br>
<br>
binddn <binddn>
<br>
bindpw <bindpw>
<br>
timelimit 5
<br>
bind_timelimit 15
<br>
<br>
sudoers_base ou=SUDOers,dc=<domain>,dc=com
<br>
<br>
<br>
Thank you
<br>
Brande
</body>
</html>