Jeffrey Stormshak wrote:
Thank you for the response.  If I may, can you expand more on the sudoers 

More details from my configuration ...
The current setup for me is that all my sudoers rules/commands and groups are 
defined and stored in the RHEL 7.1 IDM LDAP.  When I create the 
/etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on 
these 5.5 Linux clients.

uri ldap://ldap-server-name/
sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM
bindpw secret_pass
bind_timelimit 5
timelimit 15

In your experience, am I missing some other component?  PAM Modules?  Reference 
in the /etc/nsswitch.conf?

It's hard to know what to recommend since you haven't said what isn't working.

Your nssswitch.conf should have:

sudoers: files ldap

You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too while debugging.

You almost certainly want to use TLS here:

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

You also need your nisdomainname set to your domain to do group or host-based sudo.

You also need to add this to your sssd.conf:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com

Stick it after ipa_server in the config file.

Use sudo -l to test.


-----Original Message-----
[] On Behalf Of Jakub Hrozek
Sent: Tuesday, November 17, 2015 2:56 AM
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

On Mon, Nov 16, 2015 at 08:58:37PM +0000, Jeffrey Stormshak wrote:
Greetings ---
I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we have a great 
number of Oracle Linux 5.5 servers.  Upon research from Oracle (ULN Channels) the Linux 
"ipa-client" was only released for 5.6 and then upstream.  I went ahead and 
configured the PAM/LDAP authentication method for 5.5 and so far its working as expected. 
 With that history being said ...

I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL IDM 
to these 5.5 clients.  Can anyone share some insight or documentation details on how to 
solve these two problems prior to my mass deployment?  Any insight is greatly 
appreciated.  Thanks!

Not sure about TLS but sudoers should be managed with their ldap config 
(there's no sssd, hence to sssd sudo integration..)

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to