On 25.4.2014 09:07, Martin Kosek wrote:
On 04/24/2014 10:46 PM, Dmitri Pal wrote:
On 04/23/2014 07:23 PM, Stephen Benjamin wrote:
I am not sure it is doing the right thing. In the blog you specify
bindpw for SUDO, this means you are configuring SUDO without SSSD
integration. If you use IPA it is a command switch on the
ipa-client-install command to enable sudo, ssh or automount integration
(at least in the latest versions of IPA). I think we should focus on that.
I'm very interested in this...

I wrote the ipaclient module a year ago to suit a specific need for me.
I have some consulting customers who use it, but I haven't had much
feedback about it from anyone. Suggestions for changes to how I do
things would be much appreciated.

The way ipaclient is doing things works on *everything*, from a 2-year
old release of RH IdM, to the 3.4 nightly I tested not too long ago.

Right. So this is where instead of relying on the command switches it might
make sense to run commands (if they are available).
I do not recall what the commands and switches are. This is where I need help
from Martin and Honza.
I know there is ipa-client-automount but I do not remember the names of the
similar commands for SSH, SUDO and SELinux integration.

I updated FreeIPA.org Client article to hold the integration information:


Updated the bit about SSHFP and added markup to prevent line wrapping in the middle of command and option names.

It's used in the wild, so I can't just break the compatability there -- but,
can I use SSSD setup even on the older versions of IPA?  Do you have
some info about how to get that working? If so, I'll gladly go to

I need help here. Martin?

I am not sure I understand the question. FreeIPA client compatibility is
described on the wiki:


Are we talking about ipa-client-install options compatibility, or sssd.conf
compatibility or even FreeIPA API compatibility?


This is just a convenient command to ipa-client-install. Separate
ipa-client-automount is there since FreeIPA 3.0.

https://fedorahosted.org/freeipa/ticket/3358 <- but one can run command
after install to enable integration with SUDO

Honza, martin can you please add the details about SSH and SELinux

Sorry I did not spot the question earlier, please see the referred article I
just wrote. If there are question, ask.

What Martin said.

I haven't investigated automount, maybe it's something I can
consider adding to the ipaclient puppet module.
I see it more as apart of the initial client setup and check boxes: do
you want SUDO integration y/n; do you want automount y/n; do you want
SELinux user mapping y/n; Do you want SSH integration y/n. Once you
deploy you usually do not change these things because they are dictated
by general policy rather than something that you turn on and off.
Right, for this we'd need to extend the freeipa_snippet, and
use Foreman parameters for these options.  I think it's a great idea,
and something I'd gladly implement.  For Foreman 1.5, we've really
fixed the templates now for the release, but this is something
that could probably go into 1.5.1 if the details are hammered out.

Martin & Honza please suggest how this can be accomplished using our commands.
I would assume we can assume we are dealing with 6.4 and later, right?

If talking about IPA in 6.4 and older:

automount - run ipa-client-automount after ipa-client-install
SUDO - configure manually (details in
https://fedorahosted.org/freeipa/ticket/3358). Though I am afraid that sssd in
6.4 does not have ipa sudo provider.

AFAIK you can use ldap sudo provider with IPA, see e.g. <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>

SSH - ready after ipa-client-install
SELinux - this comes with ipa-client-install automatically, though I think it
was very limited before 6.5 (https://bugzilla.redhat.com/show_bug.cgi?id=914433)

I'd really appreciate an issue opened about this.


How do older versions of IPA respond to unknown options (say, if they don't
support sudoers)?  I guess I need some kind of matrix of
what's supported for each version, so that I can do the appropriate

ipa-client-install will fail if unknown option is passed.

# ipa-client-install --foo
Usage: ipa-client-install [options]

ipa-client-install: error: no such option: --foo

Yes we should pass right options to the right clients but may be we can do some
kind of introspaction based on the package version.
Something like:

if ipa-client package version is greater than X:
    add options k, l, m
   log that options k, l, m are not supported on the version

if ipa-client package version is greater than Y:
    add options n, o, q, p
   log that options n, o, q, p are not supported on the version

That might be a script that is run on the system rather than a part of the
template and it would check the package version available and use only
applicable options. Again here I would like to hear the opinion of the list.

It seems to me that all integration options are available in 6.4 (see above).
The only exception is SUDO which needs to be configured manuallyP:
   - /etc/nsswitch.conf
   - NIS domain name
   - /etc/sssd/sssd.conf - configuration is different based on SSSD version. In
6.4 and 6.4, you need to manually configure SSSD SUDO LDAP provider (slide 12
in http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf), in
6.6/7.0 you will be able to just add sudo service in SSSD and utilize SSSD SUDO
IPA provider. With FreeIPA 4.0, you do not need to do anything, you have SUDO
client configuration for free.


Jan Cholasta

Freeipa-users mailing list

Reply via email to