On Tue, Jun 25, 2013 at 08:56:55AM -0500, Dean Hunter wrote:
> Yay, It works! Once I thumb finger the configuration files correctly.
> 
> May I request that y'all start alphabetizing entries where sequence is
> not important so that it is easier for humans to find a single entry:
> 
> [dean@desktop ~]$ sudo cat /etc/sssd/sssd.conf
> [sudo] password for dean: 
> [sssd]
> config_file_version = 2
> domains = hunter.org
> services = autofs, nss, pam, ssh, sudo
> 
> [domain/hunter.org]
> access_provider = ipa
> auth_provider = ipa
> autofs_provider = ipa
> cache_credentials = True
> chpass_provider = ipa
> id_provider = ipa
> ipa_automount_location = VM
> ipa_domain = hunter.org
> ipa_dyndns_update = True
> ipa_hostname = desktop.hunter.org
> ipa_server = _srv_, ipa.hunter.org
> krb5_store_password_if_offline = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> 

The above is fairly generic (and correct) IPA provider configuration as
produced by ipa-client-install...

> # For the SUDO integration
> krb5_server = ipa.hunter.org
> ldap_sasl_authid = host/desktop.hunter.org
> ldap_sasl_mech = GSSAPI
> ldap_sasl_realm = HUNTER.ORG
> ldap_sudo_search_base = ou=sudoers,dc=hunter,dc=org
> ldap_uri = ldap://ipa.hunter.org
> sudo_provider = ldap

..and the section above is a workaround to make SSSD prior to 1.10 download
the sudo rules from IPA correctly. You won't be needing that part starting
with SSSD 1.10 as we made that the default for "sudo_provider = ipa".

I'm glad the sudo integration works for you now!

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to