Product SiteDocumentation Site

13.4. An Example of Configuring sudo

Implementing sudo requires setting up the command configuration on the IPA server and then configuring the local sudo client to look for the appropriate configuration.

13.4.1. Server Configuration for sudo Rules

  1. Optional. Set up a host group, as described in Section 6.9, “Managing Host Groups”.
  2. Optional. Create a user group and add the users, as described in Section 5.5.1, “Creating User Groups”.
  3. Set up a bind user by setting a password for the default IPA sudo bind user.
    1. A password operation must occur over a secure connection. To use TLS/SSL, first export the location of the certificate to use to establish the secure connection: 
      $ export LDAPTLS_CACERT=/etc/ipa/ca.crt
    2. Using the LDAP tools, set the password for the sudo user, uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com: 
      $ ldappasswd -x -S -W -h ipaserver.ipadocs.org -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
    New password: 
    Re-enter new password: 
    Enter LDAP Password:
  4. Set up the sudo commands and command groups, as described in Section 13.2, “Setting up sudo Commands and Command Groups”.
  5. Set up the sudo rules, as described in Section 13.3, “Defining sudo Rules”.

13.4.2. Client Configuration for sudo Rules

This example specifically configures a Red Hat Enterprise Linux 6 client for sudo rules. The configuration file in step 4 is different, depending on the platform.
  1. Configure sudo to look to LDAP for the sudoers file. 
    vim /etc/nsswitch.conf

sudoers:  files ldap
    Leaving the files option in place allows sudo to check its local configuration before checking the LDAP-based IPA configuration.
  2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If this file does not exist, it can be created. 
    vim /etc/ldap.conf++sudoers_debug: 1

    TIP

    Adding the sudoers_debug parameter helps with troubleshooting. Valid values for this parameter are 0, 1, and 2. The sudo documentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process.
  3. Configure SSSD to look for NIS netgroups.
    1. Add the following line immediately after the ipa_server entry in the /etc/sssd/sssd.conf file: 
      ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
    2. Restart the SSSD daemon: 
      # service sssd restart
  4. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the /etc/nslcd.conf file: 
    binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw sudo_password

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

bind_timelimit 5
timelimit 15

uri ldap://ipaserver.example.com ldap://backup.example.com:3890
sudoers_base ou=SUDOers,dc=example,dc=com
    Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. The sudo LDAP configuration is covered in the sudo manpages, http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html.

    IMPORTANT

    The uri directive must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise, sudo fails to connect to the LDAP server.

    NOTE

    The /etc/nslcd.conf file is created by the nss-pam-ldapd package. However, if nss-pam-ldapd is not installed, then the /etc/nslcd.conf file can be created manually and the sudo configuration works fine.
  5. Set a name for the NIS domain in the sudo configuration. sudo uses NIS netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IPA sudo configuration: 
    # nisdomainname example.com

    IMPORTANT

    Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.