I meant "did" forget.  Silly typo on my behalf...

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeffrey Stormshak
Sent: Tuesday, November 17, 2015 10:44 AM
To: Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Thanks Rob!  Sorry, I didn't forget to mention what was the message.  It 
basically stated the message listed below.

Sorry, user plmoss may not run sudo on client_server

Let me try your suggestions and see if that helps lead me down the right path.  
Once again, thanks for this feedback.  Oh how I miss using the "ipa-client" I 
used on all of my higher Linux versions.  Talk about saving time cycles and 
deployment timeframes.  Oh well.  

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, November 17, 2015 9:51 AM
To: Jeffrey Stormshak; Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Jeffrey Stormshak wrote:
> Thank you for the response.  If I may, can you expand more on the sudoers 
> response?
>
> More details from my configuration ...
> The current setup for me is that all my sudoers rules/commands and groups are 
> defined and stored in the RHEL 7.1 IDM LDAP.  When I create the 
> /etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on 
> these 5.5 Linux clients.
>
> uri ldap://ldap-server-name/
> sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM binddn 
> uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM
> bindpw secret_pass
> bind_timelimit 5
> timelimit 15
>
> In your experience, am I missing some other component?  PAM Modules?  
> Reference in the /etc/nsswitch.conf?

It's hard to know what to recommend since you haven't said what isn't working.

Your nssswitch.conf should have:

sudoers: files ldap

You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too while 
debugging.

You almost certainly want to use TLS here:

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

You also need your nisdomainname set to your domain to do group or host-based 
sudo.

You also need to add this to your sssd.conf:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com

Stick it after ipa_server in the config file.

Use sudo -l to test.

rob
>
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Tuesday, November 17, 2015 2:56 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
>
> On Mon, Nov 16, 2015 at 08:58:37PM +0000, Jeffrey Stormshak wrote:
>> Greetings ---
>> I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we 
>> have a great number of Oracle Linux 5.5 servers.  Upon research from Oracle 
>> (ULN Channels) the Linux "ipa-client" was only released for 5.6 and then 
>> upstream.  I went ahead and configured the PAM/LDAP authentication method 
>> for 5.5 and so far its working as expected.  With that history being said ...
>>
>> I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL 
>> IDM to these 5.5 clients.  Can anyone share some insight or documentation 
>> details on how to solve these two problems prior to my mass deployment?  Any 
>> insight is greatly appreciated.  Thanks!
>
> Not sure about TLS but sudoers should be managed with their ldap 
> config (there's no sssd, hence to sssd sudo integration..)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to