I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
On (19/07/13 18:25), Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
I can recommend you to read presentation from "FreeIPA Training Series" http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
There is very well explained: How to configure sudo to work with SSSD. I would not explain it in better.
Regards, Lukas
Thanks very much....I'll have a look at that paper.
Al
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik Sent: Friday, July 19, 2013 11:54 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
On (19/07/13 18:25), Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
I can recommend you to read presentation from "FreeIPA Training Series" http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
There is very well explained: How to configure sudo to work with SSSD. I would not explain it in better.
Regards, Lukas _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
That said, the sudoers.ldap file needs to be updated to refer to sssd rather than ldap (which is now hopelessly obsoleted). O.
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Lukas Slebodnik [lslebodn@redhat.com] Sent: Friday, July 19, 2013 8:54 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
On (19/07/13 18:25), Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
I can recommend you to read presentation from "FreeIPA Training Series" http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
There is very well explained: How to configure sudo to work with SSSD. I would not explain it in better.
Regards, Lukas _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks again for the assist....but is there any documentation other than the FreeIPA to show how to use sssd with sudoers ?
From the implications on both responses, it would appear that sssd as of the implementation we are running: sssd-1.9.2-82.el6.x86_64 sssd-client-1.9.2-82.el6.x86_64 is not yet really supported, correct ?
And it would appear the only way to get this to work would be by means of this FreeIPA offering at this time ?
The sudoers.ldap was mentioned briefly. Is this to be placed in /etc and is there any documentation showing the possible contents of that file ?
Thanks, Al
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: Friday, July 19, 2013 12:18 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
That said, the sudoers.ldap file needs to be updated to refer to sssd rather than ldap (which is now hopelessly obsoleted). O.
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Lukas Slebodnik [lslebodn@redhat.com] Sent: Friday, July 19, 2013 8:54 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
On (19/07/13 18:25), Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
I can recommend you to read presentation from "FreeIPA Training Series" http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
There is very well explained: How to configure sudo to work with SSSD. I would not explain it in better.
Regards, Lukas _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks again for the assist....but is there any documentation other than the FreeIPA to show how to use sssd with sudoers ?
From the implications on both responses, it would appear that sssd as of the implementation we are running: sssd-1.9.2-82.el6.x86_64 sssd-client-1.9.2-82.el6.x86_64 is not yet really supported, correct ?
Furthermore you also have to use a recent sudo release.
Ciao, Michael.
Thanks Michael,
I now have this working on a RHEL v6.4 client. The man sssd-sudo was very helpful and I am using the sudo version that is distributed with RHEL V6.4.
I'll continue to test this on older versions of RH clients as well.
Al
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Michael Ströder Sent: Saturday, July 20, 2013 1:54 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Thanks again for the assist....but is there any documentation other than the FreeIPA to show how to use sssd with sudoers ?
From the implications on both responses, it would appear that sssd as of the implementation we are running: sssd-1.9.2-82.el6.x86_64 sssd-client-1.9.2-82.el6.x86_64 is not yet really supported, correct ?
Furthermore you also have to use a recent sudo release.
Ciao, Michael.
Having asked that....I just found the man page sudoers.ldap
I'll read on before asking more stupid questions.
Al
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: Friday, July 19, 2013 12:18 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
That said, the sudoers.ldap file needs to be updated to refer to sssd rather than ldap (which is now hopelessly obsoleted). O.
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Lukas Slebodnik [lslebodn@redhat.com] Sent: Friday, July 19, 2013 8:54 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
On (19/07/13 18:25), Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
I can recommend you to read presentation from "FreeIPA Training Series" http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
There is very well explained: How to configure sudo to work with SSSD. I would not explain it in better.
Regards, Lukas _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 07/19/2013 11:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Having asked that....I just found the man page sudoers.ldap
I'll read on before asking more stupid questions.
Al
Hi, the information on configuring sudo to work with sssd can be found in sssd-sudo manual page. To summarize it you need to:
1. put "sudoers: files sss" in /etc/nsswitch.conf 2. edit sssd.conf - [sssd]/services contains "sudo" - [domain/yourdomain]/sudo_provider = ldap - more configuration depends whether you use pure ldap or ipa/ad, see man sssd-sudo
You do not have to configure ldap.conf.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: Friday, July 19, 2013 12:18 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
That said, the sudoers.ldap file needs to be updated to refer to sssd rather than ldap (which is now hopelessly obsoleted). O.
From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Lukas Slebodnik [lslebodn@redhat.com] Sent: Friday, July 19, 2013 8:54 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
On (19/07/13 18:25), Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
I can recommend you to read presentation from "FreeIPA Training Series" http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
There is very well explained: How to configure sudo to work with SSSD. I would not explain it in better.
Regards, Lukas
Thanks very much for this information.
I now appear to have this working on a v6.4 RHEL client.
I was missing a few pieces in sssd.conf such as the sudo_provider, the ldap_sudo_search_base and the sudo service in the services line.
I did notice something odd though.....even after adding the above information and restarting sssd, I could not sudo for an ldap user......at least not until I added "files" to the sudo line in /etc/nsswitch. I previously had only ldap as per other documentation I had read from the Internet. It would appear that both the files and ldap are required to get this to work in the nsswitch.conf file. Can anyone confirm that both files and ldap are a requirement for the sudo line in nsswitch.conf ?
Al
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Pavel Brezina Sent: Monday, July 22, 2013 12:59 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] sssd and ldap based sudoers
On 07/19/2013 11:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
Having asked that....I just found the man page sudoers.ldap
I'll read on before asking more stupid questions.
Al
Hi, the information on configuring sudo to work with sssd can be found in sssd-sudo manual page. To summarize it you need to:
1. put "sudoers: files sss" in /etc/nsswitch.conf 2. edit sssd.conf - [sssd]/services contains "sudo" - [domain/yourdomain]/sudo_provider = ldap - more configuration depends whether you use pure ldap or ipa/ad, see man sssd-sudo
You do not have to configure ldap.conf.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: Friday, July 19, 2013 12:18 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
That said, the sudoers.ldap file needs to be updated to refer to sssd rather than ldap (which is now hopelessly obsoleted). O.
From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Lukas Slebodnik [lslebodn@redhat.com] Sent: Friday, July 19, 2013 8:54 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] sssd and ldap based sudoers
On (19/07/13 18:25), Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
I'm working with a customer that has implemented the sudoers schema on their ldap server and I'd like to know if there are any components that must be placed in sssd.conf to get this to work.
The man sudoers.ldap only mentions ldap.conf and not sssd.conf. So to enable sudoers on ldap, do we need both sssd.conf and /etc/ldap.conf ?
If this can all go in sssd.conf, which directives are necessary and what is the correct syntax ?
Thanks Al Licause
I can recommend you to read presentation from "FreeIPA Training Series" http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
There is very well explained: How to configure sudo to work with SSSD. I would not explain it in better.
Regards, Lukas
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) -
Lukas Slebodnik -
Michael Ströder -
Ondrej Valousek -
Pavel Březina