Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 4. Configuring Red Hat Enterprise Linux 5 Servers for IPA Domain Services

4.1. Client Configuration for sudo Rules
Link kopieren

This example specifically configures a Red Hat Enterprise Linux 5 client for sudo rules. The configuration file in step 4 is different, depending on the platform.
  1. Configure sudo to look to LDAP for the sudoers file. 
    vim /etc/nsswitch.conf

sudoers:  files ldap
    Copy to Clipboard Toggle word wrap
    Leaving the files option in place allows sudo to check its local configuration before checking the LDAP-based IPA configuration.
  2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If this file does not exist, it can be created. 
    vim /etc/ldap.conf

sudoers_debug: 1
    Copy to Clipboard Toggle word wrap

    Note

    Adding the sudoers_debug parameter helps with troubleshooting. Valid values for this parameter are 0,http://jboss-on-docs.etherpad.corp.redhat.com/10 1, and 2. The sudo documentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process.
  3. Optionally, enable debugging in SSSD to show what LDAP settings it is using. 
    vim /etc/sssd/sssd.conf

[domain/IPADOMAIN]
debug_level = 6
....
    Copy to Clipboard Toggle word wrap
    The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log log.
  4. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the /etc/nss_ldap.conf file: 
    sudoers_base ou=SUDOers,dc=example,dc=com
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw sudo_password
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://ipaserver.example.com ldap://backup.example.com:3890
    Copy to Clipboard Toggle word wrap
    Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. The sudo LDAP configuration is covered in the sudo manpages, http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html.

    Important

    The uri directive must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise, sudo fails to connect to the LDAP server.
  5. Create a symlink between the nss_ldap module configuration file and the system LDAP configuration file: 
    # ln -s /etc/nss_ldap.conf /etc/ldap.conf
    Copy to Clipboard Toggle word wrap
  6. Set a name for the NIS domain in the sudo configuration. sudo uses NIS netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IPA sudo configuration.
    1. Open the /etc/rc.d/rc.local file. Setting the NIS domain name in this file allows the value to persist between reboots. 
      # vim /etc/rc.d/rc.local
      Copy to Clipboard Toggle word wrap
    2. Add the command to set the NIS domain name. 
      nisdomainname example.com
      Copy to Clipboard Toggle word wrap

    Important

    Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat