On 04/24/2014 10:46 PM, Dmitri Pal wrote:
> On 04/23/2014 07:23 PM, Stephen Benjamin wrote:
>>> I am not sure it is doing the right thing. In the blog you specify
>>> bindpw for SUDO, this means you are configuring SUDO without SSSD
>>> integration. If you use IPA it is a command switch on the
>>> ipa-client-install command to enable sudo, ssh or automount integration
>>> (at least in the latest versions of IPA). I think we should focus on that.
>> I'm very interested in this...
>> I wrote the ipaclient module a year ago to suit a specific need for me.
>> I have some consulting customers who use it, but I haven't had much
>> feedback about it from anyone. Suggestions for changes to how I do
>> things would be much appreciated.
>> The way ipaclient is doing things works on *everything*, from a 2-year
>> old release of RH IdM, to the 3.4 nightly I tested not too long ago.
> Right. So this is where instead of relying on the command switches it might
> make sense to run commands (if they are available).
> I do not recall what the commands and switches are. This is where I need help
> from Martin and Honza.
> I know there is ipa-client-automount but I do not remember the names of the
> similar commands for SSH, SUDO and SELinux integration.

I updated FreeIPA.org Client article to hold the integration information:


>> It's used in the wild, so I can't just break the compatability there -- but,
>> can I use SSSD setup even on the older versions of IPA?  Do you have
>> some info about how to get that working? If so, I'll gladly go to
>> that.
> I need help here. Martin?

I am not sure I understand the question. FreeIPA client compatibility is
described on the wiki:


Are we talking about ipa-client-install options compatibility, or sssd.conf
compatibility or even FreeIPA API compatibility?

>>> https://fedorahosted.org/freeipa/ticket/3740

This is just a convenient command to ipa-client-install. Separate
ipa-client-automount is there since FreeIPA 3.0.

>>> https://fedorahosted.org/freeipa/ticket/3358 <- but one can run command
>>> after install to enable integration with SUDO
>>> Honza, martin can you please add the details about SSH and SELinux
>>> integration

Sorry I did not spot the question earlier, please see the referred article I
just wrote. If there are question, ask.

>>>> I haven't investigated automount, maybe it's something I can
>>>> consider adding to the ipaclient puppet module.
>>> I see it more as apart of the initial client setup and check boxes: do
>>> you want SUDO integration y/n; do you want automount y/n; do you want
>>> SELinux user mapping y/n; Do you want SSH integration y/n. Once you
>>> deploy you usually do not change these things because they are dictated
>>> by general policy rather than something that you turn on and off.
>> Right, for this we'd need to extend the freeipa_snippet, and
>> use Foreman parameters for these options.  I think it's a great idea,
>> and something I'd gladly implement.  For Foreman 1.5, we've really
>> fixed the templates now for the release, but this is something
>> that could probably go into 1.5.1 if the details are hammered out.
> Martin & Honza please suggest how this can be accomplished using our commands.
> I would assume we can assume we are dealing with 6.4 and later, right?

If talking about IPA in 6.4 and older:

automount - run ipa-client-automount after ipa-client-install
SUDO - configure manually (details in
https://fedorahosted.org/freeipa/ticket/3358). Though I am afraid that sssd in
6.4 does not have ipa sudo provider.
SSH - ready after ipa-client-install
SELinux - this comes with ipa-client-install automatically, though I think it
was very limited before 6.5 (https://bugzilla.redhat.com/show_bug.cgi?id=914433)

>> I'd really appreciate an issue opened about this.
> Where?
>> How do older versions of IPA respond to unknown options (say, if they don't
>> support sudoers)?  I guess I need some kind of matrix of
>> what's supported for each version, so that I can do the appropriate
>> things.

ipa-client-install will fail if unknown option is passed.

# ipa-client-install --foo
Usage: ipa-client-install [options]

ipa-client-install: error: no such option: --foo

> Yes we should pass right options to the right clients but may be we can do 
> some
> kind of introspaction based on the package version.
> Something like:
> if ipa-client package version is greater than X:
>    add options k, l, m
> otherwise
>   log that options k, l, m are not supported on the version
> if ipa-client package version is greater than Y:
>    add options n, o, q, p
> otherwise
>   log that options n, o, q, p are not supported on the version
> That might be a script that is run on the system rather than a part of the
> template and it would check the package version available and use only
> applicable options. Again here I would like to hear the opinion of the list.

It seems to me that all integration options are available in 6.4 (see above).
The only exception is SUDO which needs to be configured manuallyP:
  - /etc/nsswitch.conf
  - NIS domain name
  - /etc/sssd/sssd.conf - configuration is different based on SSSD version. In
6.4 and 6.4, you need to manually configure SSSD SUDO LDAP provider (slide 12
in http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf), in
6.6/7.0 you will be able to just add sudo service in SSSD and utilize SSSD SUDO
IPA provider. With FreeIPA 4.0, you do not need to do anything, you have SUDO
client configuration for free.


Freeipa-users mailing list

Reply via email to