On Wed, Jan 15, 2014 at 10:59 AM, Jakub Hrozek <[email protected]> wrote: > On Wed, Jan 15, 2014 at 10:09:20AM +0100, Natxo Asenjo wrote: >> > On what platform are you ? With sudo-sssd integration you shouldn't use >> > directly ldap anymore. >> >> centos 6.5 on these hosts. So if I use sssd insted of ldap for sudo >> this could go away? > > I believe so, with the sssd integration, the sudo fetches all data from > the SSSD. One catch though, there is no "sudo_provider=ipa" in 6.5, but > man sssd-sudo should contain an example of setting up > "sudo_provider=ldap" on an IPA client.
ok. If I configure sssd.conf like that, do I need to configure anything in /etc/sudo-ldap.conf or are those mutually exclusive? I have now this in /etc/sudo-ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT demand SASL_MECH GSSAPI BASE dc=sub,dc=domain,dc=tld URI ldaps://kdc01.sub.domain.tld ldaps://kdc02.sub.domain.tld ROOTUSE_SASL on SUDOERS_BASE ou=sudoers,dc=sub,dc=domain,dc=tld SUDOERS_DEBUG 0 and this in sssd.conf [sssd] domains = sub.domain.tld services = nss, pam, ssh config_file_version = 2 [nss] [pam] [domain/sub.domain.tld] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = sub.domain.tld id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, kdc01.sub.domain.tld ldap_tls_cacert = /etc/ipa/ca.crt entry_cache_netgroup_timeout = 300 [sudo] [autofs] [ssh] -- Groeten, natxo > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
