-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there a reason that ipa-client-install does not configure nsswitch for ldap sudoers and automount by default? I would see such a modification as a feature for this, rather than a negative.
Alternately, this could be added as a module to ipa command to "autoconfigure" these for a joined host. In order to implement this one would need write into ipa-client-install: * Add ldap to sudoers and automount in nsswitch * Generate configuration for Automount in a way similar to https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html ** Automount could setup the location at this point. * Generate configuration for nss_ldap.conf for sudoers according to https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html ** This could use the static sudo password method as listed, and would involve adding these lines to the nss_ldap configuration in ipa-client-install. Some kind of RPC call could be made to retrieve the sudo password using the admin ticket. ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes binddn uid=sudo,cn=sysaccounts,cn=etc,dc=x bindpw testpassword ** Alternately, nss_ldap can use kerberos caches for SASL binds. sudoers_base ou=SUDOers,dc=x use_sasl on krb5_ccname FILE:/etc/.ldapsearch The later requires the kerberos cache to be primed and added to cron with something like: kinit -k host/client3.ipa.x -c /etc/.ldapsearch * nss_ldap configuration would be part of the default install, regardless of SSSD presence (ldap would not be listed in nsswitch for users or groups however) Nslcd does not support the sudoers option as far as my research tells me. It would also mean that nss_ldap becomes a dependency, rather than optional. Nslcd also supports sasl for ldap. Of the sudo bindpw or krb5_cc method in nss_ldap which is preferred? - -- Sincerely, William Brown Research and Teaching Information and Technology Services The University of Adelaide CRICOS Provider Number 00123M - ----------------------------------------------------------- IMPORTANT: This message may contain confidential or legally privileged information. If you think it was sent to you by mistake, please delete all copies and advise the sender. For the purposes of the SPAM Act 2003, this email is authorised by The University of Adelaide. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOlZroAAoJEKcRRTun3Hg9GEQQAIpjeWpmR19G9MoikRZiTA+F RTX7WVA4/AwO7OCQG/elQb8/2TnJb3r0UnuJfMJhgHX6Gac+4CMYdCSoRsbpK19I VOZGqAuZMAAca+7Gc80CehxbcZ5dGQWtkfLDzWlRQDj8tRitGhSNUZfkwUZgvUFf XtDEARrpYwNGixsF41zNr4sjR+L7T+ir0Ugm0B3cQS6zCgCpdbflPejEpvUTxPWq T5vb3BeRVqgAmQ/fltoVIDmaZ+pORFlOTyEYU/kb2HybBpAwLvM/QPykCZpAOx7a OeGko94lbm3J7FuajPvtWkC4/kNMx0lMrAKOgdoP/qOhjfc3kVD7TtNgsme7+7jU oJaTkyQJe2qcFQYcvIXrVHw4fmeWRzmNnZ1JUoKMizditQzyCe7Qvi++FqFJsgSn pa1z9TBaEum1B9CaVuXb7CQvj5jW3Xtr8Sc0sP/gsJDdgxS1D9jEZGvDRO8gEth2 pEMjb+rC1D36Q2gOnbtvMmPVJnQb9BXJLS7ZsYP7niIK0FEFOaxubQDesm3Edzmz a8ng1mjHU5/a45F4OyjtTYCXaMT1sO0PafC34cypA/arAWlY1c0WXasonhifZznw iZvtkAAQTo5tY+ce9hidnkxhMyCjXVvGXH5iPkrtqIxU1OMBqeyvMag+IMrMnmfm qDjCNAIvdbP0lCLnnGpa =vWZj -----END PGP SIGNATURE----- _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel