On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi < william.murii...@gmail.com> wrote:
> Evening, > > After looking at almost all the SUDO documentation I could find, it looks > one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red > hat advice to add in sssd config file. > > services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] > sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com > ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com > ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ > tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM > krb5_server = grobi.idm.coe.muc.redhat.com > > The implications of adding above is that SUDO would break if the > hardcoded ipa is not available even if there is another replica somewhere > in the network. Is that correct assumption? > > Is there a better way of doing it that I have missed? > Which version of sssd do you have? sssd >= 1.10 has native ipa suod providers and you don't need to use "sudo_provider = ldap". LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project