William Brown wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is there a reason that ipa-client-install does not configure nsswitch
for ldap sudoers and automount by default? I would see such a
modification as a feature for this, rather than a negative.

Alternately, this could be added as a module to ipa command to
"autoconfigure" these for a joined host.

In order to implement this one would need write into ipa-client-install:

* Add ldap to sudoers and automount in nsswitch
* Generate configuration for Automount in a way similar to
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
** Automount could setup the location at this point.
* Generate configuration for nss_ldap.conf for sudoers according to
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
** This could use the static sudo password method as listed, and would
involve adding these lines to the nss_ldap configuration in
ipa-client-install. Some kind of RPC call could be made to retrieve
the sudo password using the admin ticket.

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=x
bindpw testpassword

** Alternately, nss_ldap can use kerberos caches for SASL binds.

sudoers_base ou=SUDOers,dc=x
use_sasl on
krb5_ccname FILE:/etc/.ldapsearch

The later requires the kerberos cache to be primed and added to cron
with something like:

kinit -k host/client3.ipa.x -c /etc/.ldapsearch

* nss_ldap configuration would be part of the default install,
regardless of SSSD presence (ldap would not be listed in nsswitch for
users or groups however)

Nslcd does not support the sudoers option as far as my research tells
me. It would also mean that nss_ldap becomes a dependency, rather than
optional. Nslcd also supports sasl for ldap.

These are both on our roadmap, we just haven't gotten to them yet:

https://fedorahosted.org/freeipa/ticket/1233
http://freeipa.org/page/SUDO_integration_plans

Of the sudo bindpw or krb5_cc method in nss_ldap which is preferred?

We currently provide a shared account for use with sudo as a temporary measure. sssd support is our preferred solution.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to