Re: [Freeipa-users] RES: FreeIPA integration with AIX and sudo
On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote: Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _/NOT/_ compiled with LDAP support. Although sudo's documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn't work well with AIX's LDAP fileset. That's my guess why most sudo packages for AIX aren't compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V| grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX's LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ http://www.perzl.org/aix/ and download the following RPM packages on their latest versions: ·sudo = 1.8.11 ·gettext = 0.10.40 ·openldap = 2.4.23 ·openssl = 1.0.1j-1 ·zlib Make sure you don't have the sudo fileset installed or another sudo rpm package. Don't worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won't. Don't worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won't. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a rpm -ivh *.rpm --test and if all goes well proceed without the --test, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM's netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo's documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX's LDAP, this is OpenLdap's config only used by sudo. Don't worry, this won't conflict with AIX's LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that's pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running sudo -l, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Would you mind creating a howto page on the IPA wiki? Atenciosamente/Best Regards *__* *Luiz Fernando Vianna da Silva* ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.br mailto:luiz.via...@tivit.com.br *T I V I T ** *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar São Paulo - SP - CEP 05804-900 www.tivit.com.br http://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. *De:*Yves Degauquier [mailto:y...@degauquier.net] *Enviada em:* quarta-feira, 1 de abril de 2015 14:03 *Para:* Luiz Fernando Vianna da Silva *Assunto:* Re: [Freeipa-users] FreeIPA integration with AIX and sudo Hi Luiz, I was not able to make it running, I was a bit lost with the LDAP, PAM, LAM configuration, and didn't found any idea with Google... If you can share the solution or point me to some important point to do, I will be happy. Thanks in advance, Best regards, Yves On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven't figured out a way to make this work and I'll send you the solution I came up with. Atenciosamente/Best Regards *__* *Luiz Fernando Vianna da Silva* ITM-I - Operação
[Freeipa-users] RES: FreeIPA integration with AIX and sudo
Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo’s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn’t work well with AIX’s LDAP fileset. That’s my guess why most sudo packages for AIX aren’t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX’s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions: · sudo = 1.8.11 · gettext = 0.10.40 · openldap = 2.4.23 · openssl = 1.0.1j-1 · zlib Make sure you don’t have the sudo fileset installed or another sudo rpm package. Don’t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won’t. Don’t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won’t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a “rpm -ivh *.rpm --test” and if all goes well proceed without the “--test”, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM’s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo’s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX’s LDAP, this is OpenLdap’s config only used by sudo. Don’t worry, this won’t conflict with AIX’s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that’s pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running “sudo -l”, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900 www.tivit.com.brhttp://www.tivit.com.br/ Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você a tenha recebido por engano, queira, por favor, retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A TIVIT não se responsabilizará pelo conteúdo ou pela veracidade desta informação. De: Yves Degauquier [mailto:y...@degauquier.net] Enviada em: quarta-feira, 1 de abril de 2015 14:03 Para: Luiz Fernando Vianna da Silva Assunto: Re: [Freeipa-users] FreeIPA integration with AIX and sudo Hi Luiz, I was not able to make it running, I was a bit lost with the LDAP, PAM, LAM configuration, and didn't found any idea with Google... If you can share the solution or point me to some important point to do, I will be happy. Thanks in advance, Best regards, Yves On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven’t figured out a way to make this work and I’ll send you the solution I came up with. Atenciosamente/Best Regards __ Luiz Fernando Vianna da Silva ITM-I - Operação Cielo +55 (11) 3626-7126 luiz.via...@tivit.com.brmailto:luiz.via...@tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5˚ Andar São Paulo - SP - CEP 05804-900
