On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote: [snip] > My sudo-ldap.conf file: > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com > bindpw validpassword > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://validserver ldap://validserver2
This may be unrelated, but keep in mind that these should be FQDNs, because that's what the directory server SSL certificates have in them, and a client will check that the name in the certificate the server uses to identify itself matches the name that the client "thinks" the server has, which the client derives from the URI values given here. > sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com Assuming your domain name is "UNIX.MAGELLANHEALTH.COM" and you haven't changed the configuration for the Schema Compatibility plugin, this looks correct. If your domain name is something else, you'll need to change this setting to "ou=SUDOers,$basedn", where "basedn" is the value listed in your server's /etc/ipa/default.conf file. HTH, Nalin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users