Thanks Rob! Sorry, I didn't forget to mention what was the message. It basically stated the message listed below.
Sorry, user plmoss may not run sudo on client_server Let me try your suggestions and see if that helps lead me down the right path. Once again, thanks for this feedback. Oh how I miss using the "ipa-client" I used on all of my higher Linux versions. Talk about saving time cycles and deployment timeframes. Oh well. -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, November 17, 2015 9:51 AM To: Jeffrey Stormshak; Jakub Hrozek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question Jeffrey Stormshak wrote: > Thank you for the response. If I may, can you expand more on the sudoers > response? > > More details from my configuration ... > The current setup for me is that all my sudoers rules/commands and groups are > defined and stored in the RHEL 7.1 IDM LDAP. When I create the > /etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on > these 5.5 Linux clients. > > uri ldap://ldap-server-name/ > sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM binddn > uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM > bindpw secret_pass > bind_timelimit 5 > timelimit 15 > > In your experience, am I missing some other component? PAM Modules? > Reference in the /etc/nsswitch.conf? It's hard to know what to recommend since you haven't said what isn't working. Your nssswitch.conf should have: sudoers: files ldap You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too while debugging. You almost certainly want to use TLS here: ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes You also need your nisdomainname set to your domain to do group or host-based sudo. You also need to add this to your sssd.conf: ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com Stick it after ipa_server in the config file. Use sudo -l to test. rob > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Tuesday, November 17, 2015 2:56 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question > > On Mon, Nov 16, 2015 at 08:58:37PM +0000, Jeffrey Stormshak wrote: >> Greetings --- >> I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we >> have a great number of Oracle Linux 5.5 servers. Upon research from Oracle >> (ULN Channels) the Linux "ipa-client" was only released for 5.6 and then >> upstream. I went ahead and configured the PAM/LDAP authentication method >> for 5.5 and so far its working as expected. With that history being said ... >> >> I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL >> IDM to these 5.5 clients. Can anyone share some insight or documentation >> details on how to solve these two problems prior to my mass deployment? Any >> insight is greatly appreciated. Thanks! > > Not sure about TLS but sudoers should be managed with their ldap > config (there's no sssd, hence to sssd sudo integration..) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
