On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi <
william.murii...@gmail.com> wrote:

> Evening,
> After looking at almost all the SUDO documentation I could find, it looks
> one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red
> hat advice to add in sssd config file.
> services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com]
> sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com
> ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com
> ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/
> tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM
> krb5_server = grobi.idm.coe.muc.redhat.com
> The implications of adding above is that SUDO would break if the
> hardcoded ipa is not available even if there is another replica somewhere
> in the network. Is that correct assumption?
> Is there a better way of doing it that I have missed?

Which version of sssd do you have?
sssd >= 1.10 has native ipa suod providers and you don't need to use
"sudo_provider = ldap".


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to