21.4. Configuring Hosts to Use IdM sudo Policies
Actually implementing
sudo
policies is more complicated than simply creating the rules in IdM. Those rules need to be applied to every local machine, which means that each system in the IdM domain has to be configured to refer to IdM for its policies.
You can apply
sudo
policies to hosts using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.
21.4.1. Applying the sudo
Policies to Hosts Using SSSD
- Set up the host and
sudo
entries in IdM.- Set up the
sudo
commands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”. - Set up the
sudo
rules, as described in Section 21.3, “Defining sudo Rules”. - Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
- Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
- Configure every system in the IdM domain to use SSSD for
sudo
rules.Note
Only perform this step on systems based on Red Hat Enterprise Linux 6.5 and earlier. In Red Hat Enterprise Linux 6.6 and later, theipa-client-install
utility configures SSSD as the data provider forsudo
automatically.- Configure
sudo
to look to SSSD for thesudoers
file.vim /etc/nsswitch.conf sudoers: files sss
Leaving thefiles
option in place allowssudo
to check its local configuration before checking SSSD for the IdM configuration. - Add
sudo
to the list of services managed by the local SSSD client.[root@server ~]# vim /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam,
sudo
domains = IPADOMAIN - Set a name for the NIS domain in the
sudo
configuration.sudo
uses NIS-style netgroups, so the NIS domain name must be set in the system configuration forsudo
to be able to find the host groups used in the IdMsudo
configuration.- Set the NIS domain name to use with the
sudo
rules.[root@server ~]# nisdomainname example.com
- Configure the system authentication settings to persist the NIS domain name. For example:
[root@server ~]# echo "NISDOMAIN=example.com.com" >> /etc/sysconfig/network
This updates the/etc/sysconfig/network
and/etc/yp.conf
files with the NIS domain.
Note
Even thoughsudo
uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, sosudo
requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
- Optionally, enable debugging in SSSD to show what LDAP settings it is using.
[domain/IPADOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_
DOMAINNAME.log
file.
21.4.2. Applying the sudo
Policies to Hosts Using LDAP
Important
Only use the LDAP-based configuration for clients running Red Hat Enterprise Linux 6.3 and earlier or clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 21.4.1, “Applying the
sudo
Policies to Hosts Using SSSD”.
- Set up the host and sudo entries in IdM.
- Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
- Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
- Set up the
sudo
commands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”. - Set up the
sudo
rules, as described in Section 21.3, “Defining sudo Rules”.
- Set up a bind (authenticated) user by setting a password for the default IdM
sudo
user. The user must be able to authenticate to the server; anonymous access is not supported forsudo
policies.Using LDAP tools, set the password for thesudo
user,uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
. For example:[jsmith@server ~]$ ldappasswd -Y GSSAPI -S -h ipaserver.example.com uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password:
- Configure every system in the IdM domain to use SSSD for sudo rules.
- Configure
sudo
to look to LDAP for thesudoers
file.vim /etc/nsswitch.conf sudoers: files ldap
Leaving thefiles
option in place allowssudo
to check its local configuration before checking the LDAP-based IdM configuration. - Enable debug logging for
sudo
operations in the/etc/ldap.conf
file. If this file does not exist, it can be created.vim /etc/ldap.conf sudoers_debug: 1
Note
Adding thesudoers_debug
parameter helps with troubleshooting. Valid values for this parameter are 0, 1, and 2. Thesudo
documentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process. - Edit the NSS/LDAP configuration file and add the following
sudo
-related lines to the/etc/sudo-ldap.conf
file:binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw sudo_password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipaserver.example.com ldap://backup.example.com:3890 sudoers_base ou=SUDOers,dc=example,dc=com
Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. Thesudo
LDAP configuration is covered in the sudooers.ldap(8) man page.Important
Theuri
directive must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise,sudo
fails to connect to the LDAP server. - Optional. Enable debugging in SSSD to show what LDAP settings it is using.
[root@server ~]# vim /etc/sssd/sssd.conf [domain/LDAPDOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_
DOMAINNAME.log
file. - Set a name for the NIS domain in the
sudo
configuration.sudo
uses NIS-style netgroups, so the NIS domain name must be set in the system configuration forsudo
to be able to find the host groups used in the IdMsudo
configuration.- Set the NIS domain name to use with the
sudo
rules.[root@server ~]# nisdomainname example.com
- Configure the system authentication settings to persist the NIS domain name. For example:
[root@server ~]# echo "NISDOMAIN=example.com" >> /etc/sysconfig/network
This updates the/etc/sysconfig/network
and/etc/yp.conf
files with the NIS domain.
Note
Even thoughsudo
uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, sosudo
requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.