On 09/11/2013 11:21 AM, Pavel Březina wrote:
On 09/09/2013 07:32 PM, Dean Hunter wrote:

On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote:
On 09/08/2013 01:35 AM, Dmitri Pal wrote:
On 09/07/2013 02:11 PM, Christian Horn wrote:
On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
Are [1] and[2] still the current and best sources of
information for configuring sudo for use with the current
release of FreeIPA on Fedora 19?



There is also the Identity_Management_Guide as part of the RHEL
product documentation:

This and the pdf above are the latest word in this area.

Hi, those documents describes configuration for SSSD 1.9. Although
it is still valid, we have simplified configuration for IPA
provider in 1.10.

The most up to date document for your version of SSSD is always
man sssd-sudo.

_______________________________________________ Freeipa-users
mailing list Freeipa-users@redhat.com

Thank you.  Please verify that I have correctly understood your note.
 Your slides from 12-20-2012 applied to SSSD 1.9 and included a
reference to the manual pages, which I now understand, as well as
this example configuration:

sudo_provider = ldap ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech =
GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm =
EXAMPLE.COM krb5_server = ipa.example.com

I have used this configuration with good results.  However, reading
"man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph:

When the SSSD is configured to use the IPA provider, the sudo
provider is automatically enabled. The sudo search base is configured
to use the compat tree (ou=sudoers,$DC).

I forgot that the configuration was simplified also in 1.9. You can just
stick with contents of sssd-sudo. I.e. you only need to put sudo to
"services" (there's an RFE to do it automatically by ipa-client-install)
and "sudoers: files sss" to /etc/nsswitch.conf

May I suggest that you change "IPA provider" to "IPA as the ID
provider"?  There are a number of providers identified in sssd.conf
and most of them are configured to use IPA.

This is a valid point, thanks.


Testing shows that the only change now required to sssd.conf is the
addition of sudo to the services list in the sssd section [sssd]:

services = autofs, nss, pam, ssh, sudo

Add to this the one line change in nsswitch.conf

sudoers:    files sss

and I am done.


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to