Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

2015-09-24 Thread Pawel Fiuto 
Unfortunately sudo package included in amzn linux does not work with sudo rules 
provided via SSS however it is in the feature requests list.
To workaround this you can replace it with the CentOS one: 
http://mirror.centos.org/centos/6.7/os/x86_64/Packages/sudo-1.8.6p3-19.el6.x86_64.rpm



From: freeipa-users-boun...@redhat.com  on 
behalf of Alexander Bokovoy 
Sent: 21 September 2015 20:40
To: Gustavo Mateus
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] SSSD client (amazon linux) + IPA server (Redhat)

On Mon, 21 Sep 2015, Gustavo Mateus wrote:
>Hi Alexander,
>
>Thank you very much for your help.
>Would it be possible for you to point me in the right direction on how to
>integrate this with sudo rules?
Please don't send emails personally unless asked to do that.

Your problem can be tracked with public mailing list.

>my sssd.conf looks like this:
>
>[sssd]
>services = nss, pam, ssh, sudo
>config_file_version = 2
>domains = default
>re_expression = (?P.+)
>
>[domain/default]
>cache_credentials = True
>id_provider = ldap
>auth_provider = ldap
>ldap_uri = ldap://ipaserver.my.domain.com
>ldap_search_base = cn=accounts,dc=my,dc=domain,dc=com
>ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt
>ldap_user_ssh_public_key = ipaSshPubKey
>sudo_provider = ldap
>ldap_sudo_search_base = ou=sudoers,dc=my,dc=domain,dc=com
>ldap_sudo_full_refresh_interval=86400
>ldap_sudo_smart_refresh_interval=3600
>debug_level=8
>
>[ssh]
>
>[sudo]
>debug_level=8
>
>
>and nsswitch.conf has this:
>
>sudoers:files sss
>
>
>
>My goal is to have freeipa as a replacement for the current openldap and
>hope that amazon linux supports it fully in the future. While they don't
>support it, I want to use as much as I can of centralized management that
>freeipa+sssd provides.
SSSD has own plugin for sudo integration that makes possible to cache
sudo rules via SSSD itself as opposed to use of sudo's LDAP plugin which
tries to talk to LDAP server directly.

You need to understand what features are provided by Amazon Linux's sudo
package. It may well be missing support for sudo plugins. I don't have
access to Amazon Linux source code, thus I cannot check whether their
sudo package supports external plugins.

So even if your sssd version includes sudo plugin, it may probably be
simply unused by your sssd version. Again, I have no idea how Amazon's
Linux AMI is built, thus it may miss this capability.

At this point I'd suggest you to investigate yourself and contact Amazon
support for finding out exactly what is happening there.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-14 Thread Pawel Fiuto 
Hi Gustavo,

Using settings from  'ipa-advise config-redhat-sssd-before-1-9' with below 
modifications seems to work quite well:

- on ipa server add permisson to read ipaSshPubKey anonymously:

[ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user 
--attrs=ipaSshPubKey --bindtype=anonymous --permissions=read

[ipa-client]# diff /etc/sssd/sssd.conf /etc/sssd/sssd.conf.orig
2c2
< services = nss, pam, ssh
---
> services = nss, pam
12c12
< ldap_search_base = cn=accounts,dc=example,dc=org
---
> ldap_search_base = cn=compat,dc=example,dc=org
14d13
< ldap_user_ssh_public_key = ipaSshPubKey




From: freeipa-users-boun...@redhat.com  on 
behalf of Gustavo Mateus 
Sent: 11 September 2015 00:30
To: freeipa-users@redhat.com
Subject: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

Hi,

I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users 
public ssh key.

Do I have to setup a binddn and bindpw in the ldap.conf file and use 
/usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it?

Thanks,
Gustavo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project