Hi all,
           I'm in the process of testing IPA server for centralised
authentication of our linux hosts. We run CentOS 6.5 and it's all new so
we have no legacy issues.

In the lab I've set up an IPA server with the yum install and used a local
bind instance which all seems to be working correctly. Where the issues
begin is with the sudoers functionality. After reading the manual and
consulting Google sensei I found a number of resources that talk about
setting up ldap either natively in the nsswitch.conf file or via sssd,
I've tried a number of slightly different configurations on the client
side with little effect. So the question is "what is the process for
configuring an IPA system to handle sudo functionality".

Any help is greatly appreciated.

# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Valid entries include:
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files sss
shadow:     files sss
group:      files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
sudoers:    files sss
netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus


cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = TEST.EXAMPLE.NET
krb5_server = ipa-server-1.test.example.net
ipa_domain = test.example.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-server-1.test.example.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa-server-1.test.example.net
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_uri = ldap://ipa-server-1.test.example.net

services = nss, pam, ssh, sudo
config_file_version = 2
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=test,dc=example,dc=net
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipa-client.test.example.net
ldap_sasl_realm = TEST.EXAMPLE.NET

domains = test.example.net






Best regards
David Taylor

David Taylor
Head of Engineering - SpeedCast Pacific

Level 1, Unit 4F
12 Lord St, Botany
NSW, Australia, 2019
Office                      +61 2 9531 7555
Direct:               +61 2 9086 2787
Mobile:              +61 4 3131 1146
24x7 Helpdesk   +61 2 9016 3222
Web:                http://www.example.com / www.speedcast.com

To strengthen our corporate identity in target markets worldwide,
effective 18th January, we have commenced operating under the SpeedCast
name. Read More

Freeipa-users mailing list

Reply via email to