After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file.

‎services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com

The implications ‎of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? 

Is there a better way of doing it that I have missed?



Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to