Jeffrey Stormshak wrote:
> Rob -
> Thank you for the suggestions as I finally have them implemented.  However, 
> the twist to this saga, is that it only works when I bind to LDAP as 
> "anonymous" vs. setting an actual "binddn" and "bindpw".  I truly do not want 
> to keep it this way.  With that being said, may I ask what should be the 
> proper binddn account to use so that auth and sudo will work?

I'm not sure how it works at all anonymously as it should return nothing
in that case.

IIRC a sudo system account user is pre-created you just need to set the
password:

$ ldappasswd -x -S -W -h ipaserver.ipadocs.org -ZZ -D "cn=Directory
Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

rob

> 
> Once again, thank you for the help getting me further down the configuration 
> trail.  !!
> 
> -----Original Message-----
> From: Jeffrey Stormshak 
> Sent: Tuesday, November 17, 2015 10:49 AM
> To: Jeffrey Stormshak; Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com
> Subject: RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
> 
> I meant "did" forget.  Silly typo on my behalf...
> 
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeffrey Stormshak
> Sent: Tuesday, November 17, 2015 10:44 AM
> To: Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
> 
> Thanks Rob!  Sorry, I didn't forget to mention what was the message.  It 
> basically stated the message listed below.
> 
> Sorry, user plmoss may not run sudo on client_server
> 
> Let me try your suggestions and see if that helps lead me down the right 
> path.  Once again, thanks for this feedback.  Oh how I miss using the 
> "ipa-client" I used on all of my higher Linux versions.  Talk about saving 
> time cycles and deployment timeframes.  Oh well.  
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Tuesday, November 17, 2015 9:51 AM
> To: Jeffrey Stormshak; Jakub Hrozek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
> 
> Jeffrey Stormshak wrote:
>> Thank you for the response.  If I may, can you expand more on the sudoers 
>> response?
>>
>> More details from my configuration ...
>> The current setup for me is that all my sudoers rules/commands and groups 
>> are defined and stored in the RHEL 7.1 IDM LDAP.  When I create the 
>> /etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on 
>> these 5.5 Linux clients.
>>
>> uri ldap://ldap-server-name/
>> sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM binddn 
>> uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM
>> bindpw secret_pass
>> bind_timelimit 5
>> timelimit 15
>>
>> In your experience, am I missing some other component?  PAM Modules?  
>> Reference in the /etc/nsswitch.conf?
> 
> It's hard to know what to recommend since you haven't said what isn't working.
> 
> Your nssswitch.conf should have:
> 
> sudoers: files ldap
> 
> You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too 
> while debugging.
> 
> You almost certainly want to use TLS here:
> 
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
> 
> You also need your nisdomainname set to your domain to do group or host-based 
> sudo.
> 
> You also need to add this to your sssd.conf:
> 
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
> 
> Stick it after ipa_server in the config file.
> 
> Use sudo -l to test.
> 
> rob
>>
>> -----Original Message-----
>> From: freeipa-users-boun...@redhat.com 
>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
>> Sent: Tuesday, November 17, 2015 2:56 AM
>> To: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question
>>
>> On Mon, Nov 16, 2015 at 08:58:37PM +0000, Jeffrey Stormshak wrote:
>>> Greetings ---
>>> I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we 
>>> have a great number of Oracle Linux 5.5 servers.  Upon research from Oracle 
>>> (ULN Channels) the Linux "ipa-client" was only released for 5.6 and then 
>>> upstream.  I went ahead and configured the PAM/LDAP authentication method 
>>> for 5.5 and so far its working as expected.  With that history being said 
>>> ...
>>>
>>> I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL 
>>> IDM to these 5.5 clients.  Can anyone share some insight or documentation 
>>> details on how to solve these two problems prior to my mass deployment?  
>>> Any insight is greatly appreciated.  Thanks!
>>
>> Not sure about TLS but sudoers should be managed with their ldap 
>> config (there's no sssd, hence to sssd sudo integration..)
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to