On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote:
> ----- Original Message -----
> > From: "Jan Cholasta" <jchol...@redhat.com>
> > To: "Martin Kosek" <mko...@redhat.com>, d...@redhat.com, "Stephen Benjamin" 
> > <stben...@redhat.com>
> > Cc: freeipa-users@redhat.com
> > Sent: Friday, April 25, 2014 9:44:37 AM
> > Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> > AFAIK you can use ldap sudo provider with IPA, see e.g.
> > <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
> I got this working, and seems to work across recent Fedora releases too.
> This at least removes the requirement on using the old bind password
> method.  Thanks!

In recent Fedora releases, where the IPA sudo provider is available, the
"legacy" LDAP provider should not be used. There might be problems with
enumeration for instance when combining two different providers.

> Is there a way for sssd to use _srv_ for the krb5_server line?

Yes, it should just work.

> Here's an updated Kickstart snippet:
> https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
> If we know what the Syntax will be for sudo (or will it be default
> in 4.0?), then I can include the logic already not to do it manually.

Sorry, I'm not sure I understand the question? With recent enough
clients (6.6+, 7.0+, any supported Fedora) you should use
sudo_provider=ipa, with older ones you should use sudo_provider=ldap

Freeipa-users mailing list

Reply via email to