On Thu, Dec 20, 2012 at 04:43:08PM +0100, Han Boetes wrote: > > I discovered that using this recipe makes setting up sudo-ldap very simple. > Even when anonymous binds is disabled. > > TLS_CACERT /etc/ipa/ca.crt > TLS_REQCERT demand > SASL_MECH GSSAPI > BASE dc=domain,dc=com > URI ldap://auth-ipa.domain.com > ROOTUSE_SASL on > SUDOERS_BASE ou=SUDOers,dc=domain,dc=com > SUDOERS_DEBUG 2 >
I really liked that this configuration didn't need a binddn/bindpw in sudo-ldap.conf, but it only works for me if I do password login and is issued a kerberos ticket on the host, and not if I do ssh pubkey/GSS-API login to the host. Do you have a pam config that issues kerberos ticket on sudo auth so that it always works? An even better config would be if we could use the host's keytab to bind to LDAP here.. -jf _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users