Thanks Rob!  Sorry, I didn't forget to mention what was the message.  It 
basically stated the message listed below.

Sorry, user plmoss may not run sudo on client_server

Let me try your suggestions and see if that helps lead me down the right path.  
Once again, thanks for this feedback.  Oh how I miss using the "ipa-client" I 
used on all of my higher Linux versions.  Talk about saving time cycles and 
deployment timeframes.  Oh well.  

-----Original Message-----
From: Rob Crittenden [] 
Sent: Tuesday, November 17, 2015 9:51 AM
To: Jeffrey Stormshak; Jakub Hrozek;
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Jeffrey Stormshak wrote:
> Thank you for the response.  If I may, can you expand more on the sudoers 
> response?
> More details from my configuration ...
> The current setup for me is that all my sudoers rules/commands and groups are 
> defined and stored in the RHEL 7.1 IDM LDAP.  When I create the 
> /etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on 
> these 5.5 Linux clients.
> uri ldap://ldap-server-name/
> sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM binddn 
> uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM
> bindpw secret_pass
> bind_timelimit 5
> timelimit 15
> In your experience, am I missing some other component?  PAM Modules?  
> Reference in the /etc/nsswitch.conf?

It's hard to know what to recommend since you haven't said what isn't working.

Your nssswitch.conf should have:

sudoers: files ldap

You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too while 

You almost certainly want to use TLS here:

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

You also need your nisdomainname set to your domain to do group or host-based 

You also need to add this to your sssd.conf:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com

Stick it after ipa_server in the config file.

Use sudo -l to test.

> -----Original Message-----
> From: 
> [] On Behalf Of Jakub Hrozek
> Sent: Tuesday, November 17, 2015 2:56 AM
> To:
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
> On Mon, Nov 16, 2015 at 08:58:37PM +0000, Jeffrey Stormshak wrote:
>> Greetings ---
>> I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we 
>> have a great number of Oracle Linux 5.5 servers.  Upon research from Oracle 
>> (ULN Channels) the Linux "ipa-client" was only released for 5.6 and then 
>> upstream.  I went ahead and configured the PAM/LDAP authentication method 
>> for 5.5 and so far its working as expected.  With that history being said ...
>> I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL 
>> IDM to these 5.5 clients.  Can anyone share some insight or documentation 
>> details on how to solve these two problems prior to my mass deployment?  Any 
>> insight is greatly appreciated.  Thanks!
> Not sure about TLS but sudoers should be managed with their ldap 
> config (there's no sssd, hence to sssd sudo integration..)
> --
> Manage your subscription for the Freeipa-users mailing list:
> Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to