William Brown wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Is there a reason that ipa-client-install does not configure nsswitch
for ldap sudoers and automount by default? I would see such a
modification as a feature for this, rather than a negative.
Alternately, this could be added as a module to ipa command to
"autoconfigure" these for a joined host.
In order to implement this one would need write into ipa-client-install:
* Add ldap to sudoers and automount in nsswitch
* Generate configuration for Automount in a way similar to
** Automount could setup the location at this point.
* Generate configuration for nss_ldap.conf for sudoers according to
** This could use the static sudo password method as listed, and would
involve adding these lines to the nss_ldap configuration in
ipa-client-install. Some kind of RPC call could be made to retrieve
the sudo password using the admin ticket.
** Alternately, nss_ldap can use kerberos caches for SASL binds.
The later requires the kerberos cache to be primed and added to cron
with something like:
kinit -k host/client3.ipa.x -c /etc/.ldapsearch
* nss_ldap configuration would be part of the default install,
regardless of SSSD presence (ldap would not be listed in nsswitch for
users or groups however)
Nslcd does not support the sudoers option as far as my research tells
me. It would also mean that nss_ldap becomes a dependency, rather than
optional. Nslcd also supports sasl for ldap.
These are both on our roadmap, we just haven't gotten to them yet:
Of the sudo bindpw or krb5_cc method in nss_ldap which is preferred?
We currently provide a shared account for use with sudo as a temporary
measure. sssd support is our preferred solution.
Freeipa-devel mailing list