On Wed, Jan 15, 2014 at 10:59 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Wed, Jan 15, 2014 at 10:09:20AM +0100, Natxo Asenjo wrote:
>> > On what platform are you ? With sudo-sssd integration you shouldn't use
>> > directly ldap anymore.
>>
>> centos 6.5 on these hosts. So if I use sssd insted of ldap for sudo
>> this could go away?
>
> I believe so, with the sssd integration, the sudo fetches all data from
> the SSSD. One catch though, there is no "sudo_provider=ipa" in 6.5, but
> man sssd-sudo should contain an example of setting up
> "sudo_provider=ldap" on an IPA client.

ok. If I configure sssd.conf like that, do I need to configure
anything in /etc/sudo-ldap.conf or are those mutually exclusive?

I have now this in /etc/sudo-ldap.conf:

TLS_CACERT /etc/ipa/ca.crt
TLS_REQCERT demand
SASL_MECH GSSAPI
BASE dc=sub,dc=domain,dc=tld
URI ldaps://kdc01.sub.domain.tld ldaps://kdc02.sub.domain.tld
ROOTUSE_SASL on
SUDOERS_BASE ou=sudoers,dc=sub,dc=domain,dc=tld
SUDOERS_DEBUG 0

and this in sssd.conf

[sssd]
domains = sub.domain.tld
services = nss, pam, ssh
config_file_version = 2

[nss]

[pam]

[domain/sub.domain.tld]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = sub.domain.tld
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, kdc01.sub.domain.tld
ldap_tls_cacert = /etc/ipa/ca.crt
entry_cache_netgroup_timeout = 300

[sudo]

[autofs]

[ssh]


--
Groeten,
natxo
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to