Re: [Freeipa-users] sudo made a bit easier to configure
On Sun, Apr 14, 2013 at 01:49:14PM +0200, Jan-Frode Myklebust wrote: On Thu, Dec 20, 2012 at 04:43:08PM +0100, Han Boetes wrote: An even better config would be if we could use the host's keytab to bind to LDAP here.. Coming up as a default in sssd 1.10 (beta). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo made a bit easier to configure
On Thu, Dec 20, 2012 at 04:43:08PM +0100, Han Boetes wrote: I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT demand SASL_MECH GSSAPI BASE dc=domain,dc=com URI ldap://auth-ipa.domain.com ROOTUSE_SASL on SUDOERS_BASE ou=SUDOers,dc=domain,dc=com SUDOERS_DEBUG 2 I really liked that this configuration didn't need a binddn/bindpw in sudo-ldap.conf, but it only works for me if I do password login and is issued a kerberos ticket on the host, and not if I do ssh pubkey/GSS-API login to the host. Do you have a pam config that issues kerberos ticket on sudo auth so that it always works? An even better config would be if we could use the host's keytab to bind to LDAP here.. -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo made a bit easier to configure
On 12/20/2012 04:43 PM, Han Boetes wrote: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT demand SASL_MECH GSSAPI BASE dc=domain,dc=com URI ldap://auth-ipa.domain.com http://auth-ipa.domain.com ROOTUSE_SASL on SUDOERS_BASE ou=SUDOers,dc=domain,dc=com SUDOERS_DEBUG 2 Of course you can set DEBUG to 0 once everything works. I'd like to share this since the docs on the freeipa site on how to set up sudo were quite a bit more complicated. # Han Hello Han, Thanks! I will forward this example to our doc guys to see if we can make the sudo client configuration example easier to follow. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo made a bit easier to configure
On Fri, Dec 21, 2012 at 06:42:40PM +0100, Natxo Asenjo wrote: On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes hboe...@gmail.com wrote: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. Thanks! I have not yet used sudo with IPA, but it sure is in the pipeline and this comes in handy ;-) URI ldap://auth-ipa.domain.com can this be a srv record? Cannot test it right now but this would of course be the most ideal situation. I haven't tried this myself, but maybe something like: URI ldap://dc=example,dc=com might work. If not, I'm pretty sure SRV records would just work if you leverage the integration with the SSSD :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users