On Wed, Jan 15, 2014 at 11:45:58AM +0100, Natxo Asenjo wrote: > On Wed, Jan 15, 2014 at 10:59 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > On Wed, Jan 15, 2014 at 10:09:20AM +0100, Natxo Asenjo wrote: > >> > On what platform are you ? With sudo-sssd integration you shouldn't use > >> > directly ldap anymore. > >> > >> centos 6.5 on these hosts. So if I use sssd insted of ldap for sudo > >> this could go away? > > > > I believe so, with the sssd integration, the sudo fetches all data from > > the SSSD. One catch though, there is no "sudo_provider=ipa" in 6.5, but > > man sssd-sudo should contain an example of setting up > > "sudo_provider=ldap" on an IPA client. > > ok. If I configure sssd.conf like that, do I need to configure > anything in /etc/sudo-ldap.conf or are those mutually exclusive?
Sorry for the late reply. Not mutually exclusive, but they do the same thing :-) It's the same as having both sssd and nss_ldap configured for passwd lookups. In order for the sudo binary to be able to talk to sssd you need to install libsss_sudo. (This is only applicable to RHEL6, in later upstream versions we folded the binary back to sssd proper) > > I have now this in /etc/sudo-ldap.conf: > > TLS_CACERT /etc/ipa/ca.crt > TLS_REQCERT demand > SASL_MECH GSSAPI > BASE dc=sub,dc=domain,dc=tld > URI ldaps://kdc01.sub.domain.tld ldaps://kdc02.sub.domain.tld > ROOTUSE_SASL on > SUDOERS_BASE ou=sudoers,dc=sub,dc=domain,dc=tld > SUDOERS_DEBUG 0 You should include "sss" as the data source in /etc/nsswitch.conf # grep sudo /etc/nsswitch.conf sudoers: files sss > > and this in sssd.conf > > [sssd] > domains = sub.domain.tld > services = nss, pam, ssh 'sudo' needs to be included as one of the services. > config_file_version = 2 > > [nss] > > [pam] > > [domain/sub.domain.tld] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = sub.domain.tld > id_provider = ipa > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, kdc01.sub.domain.tld > ldap_tls_cacert = /etc/ipa/ca.crt > entry_cache_netgroup_timeout = 300 Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. It would look something like: sudo_provider = ldap ldap_uri = ldap://kdc01.sub.domain.tld ldap_sudo_search_base = ou=sudoers,dc=sub,dc=domain,dc=tld ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.sub.domain.tld ldap_sasl_realm = SUB.DOMAIN.TLD krb5_server = kdc01.sub.domain.tld _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users