On Wed, 2013-09-11 at 11:21 +0200, Pavel Březina wrote: > On 09/09/2013 07:32 PM, Dean Hunter wrote: > > > > On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: > >> On 09/08/2013 01:35 AM, Dmitri Pal wrote: > >>> On 09/07/2013 02:11 PM, Christian Horn wrote: > >>>> On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: > >>>>> Are [1] and[2] still the current and best sources of > >>>>> information for configuring sudo for use with the current > >>>>> release of FreeIPA on Fedora 19? > >>>>> > >>>>> 1. > >>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html > >> > >>>>> > >>> 2. > >>>>> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf > >> > >>>>> > >> There is also the Identity_Management_Guide as part of the RHEL > >>>> product documentation: > >>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html > >> > >>>> > > This and the pdf above are the latest word in this area. > >> > >> Hi, those documents describes configuration for SSSD 1.9. Although > >> it is still valid, we have simplified configuration for IPA > >> provider in 1.10. > >> > >> The most up to date document for your version of SSSD is always > >> man sssd-sudo. > >> > >> _______________________________________________ Freeipa-users > >> mailing list Freeipa-users@redhat.com > >> <mailto:Freeipa-users@redhat.com> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Thank you. Please verify that I have correctly understood your note. > > Your slides from 12-20-2012 applied to SSSD 1.9 and included a > > reference to the manual pages, which I now understand, as well as > > this example configuration: > > > > sudo_provider = ldap ldap_uri = ldap://ipa.example.com > > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = > > GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = > > EXAMPLE.COM krb5_server = ipa.example.com > > > > I have used this configuration with good results. However, reading > > "man sssd-sudo" from sssd-1.9.5-2.fc18.x86_64 I find this paragraph: > > > > When the SSSD is configured to use the IPA provider, the sudo > > provider is automatically enabled. The sudo search base is configured > > to use the compat tree (ou=sudoers,$DC). > > I forgot that the configuration was simplified also in 1.9. You can just > stick with contents of sssd-sudo. I.e. you only need to put sudo to > "services" (there's an RFE to do it automatically by ipa-client-install) > and "sudoers: files sss" to /etc/nsswitch.conf > > > May I suggest that you change "IPA provider" to "IPA as the ID > > provider"? There are a number of providers identified in sssd.conf > > and most of them are configured to use IPA. > > This is a valid point, thanks. > > > > > Testing shows that the only change now required to sssd.conf is the > > addition of sudo to the services list in the sssd section [sssd]: > > > > services = autofs, nss, pam, ssh, sudo > > > > Add to this the one line change in nsswitch.conf > > > > sudoers: files sss > > > > and I am done. > > Correct. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
Nope, there is still one step remaining. nisdomainname must be configured:
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users