Chapter 30. Using sudo
Identity Management provides a mechanism for predictably and consistently applying
sudo
policies across the IdM domain. Every system in the IdM domain can be configured as a sudo
client.
30.1. The sudo
Utility in Identity Management
The
sudo
utility gives administrative access to specified users. When trusted users precede an administrative command with sudo
, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user. For more information about sudo
, see the System Administrator's Guide.
30.1.1. The Identity Management LDAP Schema for sudo
IdM has a specialized LDAP schema for
sudo
entries. The schema supports:
- Host groups as well as netgroups. Note that
sudo
only supports netgroups. sudo
command groups, which contain multiple commands.
Note
Because
sudo
does not support host groups or command groups, IdM translates the IdM sudo
configuration into the native sudo
configuration when the sudo
rules are created. For example, IdM creates a corresponding shadow netgroup for every host group, which allows the IdM administrator to create sudo
rules that reference host groups, while the local sudo
command uses the corresponding netgroup.
By default, the
sudo
information is not available anonymously over LDAP. Therefore, IdM defines a default sudo
user at uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
. You can change this user in the LDAP sudo
configuration file at /etc/sudo-ldap.conf
.
30.1.2. NIS Domain Name Requirements
The NIS domain name must be set for netgroups and
sudo
to work properly. The sudo
configuration requires NIS-formatted netgroups and a NIS domain name for netgroups. However, IdM does not require the NIS domain to actually exist. It is also not required to have a NIS server installed.
Note
The
ipa-client-install
utility sets a NIS domain name automatically to the IdM domain name by default.