I have a few issues with sudo rules(FreeIPA 4.1.4-4 on Fedora 22) that I would greatly appreciate some help with. The core of the issue is that sudo rules fail to work when using ldap instead of ipa when you assign user groups and host groups to the sudo rule in place of explicitly adding users and hosts to the sudo rule. The reason for needing to use ldap over ipa is due to the organization requiring 2fa for all users via OTP tokens. We have a mix of cent 5 to 7 systems, not all can be immediately upgraded, so with cent 5 and 6 nodes ldap must be used instead of ipa to support 2fa. Explicitly assigning users and hosts to sudo rules is also unmanageable, the organization has hundreds of employees and multiple thousands of servers. Utilizing the host and user groups is a must.

On cent 7 the default sssd.conf generated by FreeIPA works, 2fa works by default and the sssd.conf is using the ipa directives as well to parse user and host groups on sudo rules. Everything here works as expected.


In cent 6 to allow 2fa to work the conf has to be updated to use ldap instead of ipa. In the process this seems to break the ability to search user and host groups on sudo rules. Users and hosts explicitly defined for the sudo rules still work so the clients can see the rules, they just do not seem to want to look within the groups that may be assigned to the rules. I moved the original sssd.conf created by FreeIPA using the ipa directives and sudo works as expected, but 2fa is not possible like this.

Cent 5 is entirely incapable of using the sudo rules with user and host groups since sudo lacks sssd support in cent 5 and depends on /etc/ldap.conf to work. However like cent 6, users and hosts explicitly defined for the sudo rules still work, so I presume fixing the sudo rules with cent 6 on ldap would fix them here as well.

Can anyone else confirm this behavior, and if so can anyone suggest any possible fixes or workarounds? I have attached the modified Cent6 and Cent 5 configs for sssd and ldap inline below(first time mailing, if inline is not ok please let me know what is preferable for future reference). Currently testing using the following versions:
CentOS Linux release 7.1.1503 (Core)
CentOS release 6.7 (Final)
CentOS release 5.11 (Final)

Cent 6 /etc/sssd/sssd.conf:

#SSSD client configuration file.
[domain/domain]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
autofs_provider = ldap
sudo_provider = ldap

binddn = <binddn>
bindpw = <bindpw>
scope = sub
sudoers_base = ou=SUDOers,dc=<domain>,dc=com
tls_cacertfile = /etc/ipa/ca.crt
tls_checkpeer = yes
tls_reqcert = demand
ssl = start_tls

ldap_schema = rfc2307bis
ldap_uri = _srv_,ldap://<server>.<domain>:389
ldap_search_base = dc=<domain>,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=<domain>,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=<domain>,dc=com
ldap_sudo_search_base = ou=SUDOers,dc=<domain>,dc=com

enumerate = True
cache_credentials = True

ldap_tls_cacertdir = /etc/ipa/
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True

krb5_realm = <DOMAIN>

[sssd]
services = nss, sudo, pam, ssh, autofs
config_file_version = 2
domains = domain

[nss]
homedir_substring = /home
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


Cent 5 /etc/sssd/sssd.conf:

#SSSD client configuration file.
[domain/domain]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
autofs_provider = ldap

ldap_schema = rfc2307bis
ldap_uri = _srv_,ldap://<server>.<domain>:389
ldap_search_base = dc=<domain>,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=<domain>,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=<domain>,dc=com

enumerate = True
cache_credentials = True

ldap_tls_cacertdir = /etc/ipa/
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True

krb5_realm = <DOMAIN>

[sssd]
services = nss, pam
config_file_version = 2
domains = domain

[nss]
homedir_substring = /home
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]


Cent 5 /etc/ldap.conf:

#LDAP client configuration file.
uri ldap://<server>.<domain>:389
base dc=<domain>,dc=com
ldap_version 3

tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
ssl start_tls

binddn <binddn>
bindpw <bindpw>
timelimit 5
bind_timelimit 15

sudoers_base ou=SUDOers,dc=<domain>,dc=com


Thank you
Brande
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to