On Mon, 21 Sep 2015, Gustavo Mateus wrote:
Hi Alexander,

Thank you very much for your help.
Would it be possible for you to point me in the right direction on how to
integrate this with sudo rules?
Please don't send emails personally unless asked to do that.

Your problem can be tracked with public mailing list.

my sssd.conf looks like this:

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ipaserver.my.domain.com
ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
ldap_user_ssh_public_key = ipaSshPubKey
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
debug_level=8

[ssh]

[sudo]
debug_level=8


and nsswitch.conf has this:

sudoers:    files sss



My goal is to have freeipa as a replacement for the current openldap and
hope that amazon linux supports it fully in the future. While they don't
support it, I want to use as much as I can of centralized management that
freeipa+sssd provides.
SSSD has own plugin for sudo integration that makes possible to cache
sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which
tries to talk to LDAP server directly.

You need to understand what features are provided by Amazon Linux's sudo
package. It may well be missing support for sudo plugins. I don't have
access to Amazon Linux source code, thus I cannot check whether their
sudo package supports external plugins.

So even if your sssd version includes sudo plugin, it may probably be
simply unused by your sssd version. Again, I have no idea how Amazon's
Linux AMI is built, thus it may miss this capability.

At this point I'd suggest you to investigate yourself and contact Amazon
support for finding out exactly what is happening there.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to