On Fri, May 18, 2012 at 2:35 PM, Gelen James <[email protected]> wrote: > Hi all, > > Are the sudo rules applied to IPA clients through nss_ldap, instead of > sssd? > > I tried that on Redhat 6.2 clients, and some documents said that sudo rules > would work when enabled inside /etc/nslcd.conf, but we need to hack the > script /etc/init.d/nslcd.conf a little bit -- basically to mess around the > sudo config statement before/after nslcd daemon runs as the latter still can > not handle sudo statements very well.
I just got sudo setup on 6.2. You do use /etc/nslcd.conf, but you don't have to install the nslcd daemon to get it working. It just looks to that file for the config. So remove nslcd and then just create the /etc/nslcd.conf from scratch and put in what they specify on the documentation. Make all of the other changes they mention and it will just work! > Then on 5.8, where nslcd daemon is not available, should we edit > /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a > lot. Type sudo -V to be sure, but look for the ldap.conf path (on my 5.8 it is /etc/ldap.conf). I haven't set this up yet, but I assume that you can just add the config mentioned in the docs to ldap.conf along with all of the other changes and you're off. As it worked perfectly on 6.2, I'm guessing it will also work on 5.8. You can look through bugzilla and see the various discussions about all of this, but suffice it to say there has been a fair amount of discussion as to where to locate this sudo ldap config. I think it is headed for /etc/ldap.sudo or something like that in 6.3, but as long as you put it where sudo is looking for it, everything should work. If you still can't get it to work, Adam Young has written a script that you can look at to explain the process: http://adam.younglogic.com/2011/03/centralized-sudo-with-freeipa/. Steve _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
