Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

30.3. Configuring the Location for Looking up sudo Policies

The centralized IdM database for sudo configuration makes the sudo policies defined in IdM globally available to all domain hosts. On Red Hat Enterprise Linux 7.1 systems and later, the ipa-server-install and ipa-client-install utilities automatically configure the system to use the IdM-defined policies by setting SSSD as the data provider for sudo.
The location for looking up the sudo policies is defined on the sudoers line of the /etc/nsswitch.conf file. On IdM systems running Red Hat Enterprise Linux 7.1 and later, the default sudoers configuration in nsswitch.conf is: 
sudoers: files sss
Copy to Clipboard Toggle word wrap
The files option specifies that the system uses the sudo configuration defined in the /etc/sudoers local SSSD configuration file. The sss option specifies that the sudo configuration defined in IdM is used.
To implement the IdM-defined sudo policies on IdM systems running Red Hat Enterprise Linux versions earlier than 7.1, configure the local machines manually. You can do this using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.
Follow these steps on each system that is required to use SSSD for sudo rules:
  1. Configure sudo to look to SSSD for the sudoers file. 
    # vim /etc/nsswitch.conf

sudoers:  files sss
    Copy to Clipboard Toggle word wrap
    Leaving the files option in place allows sudo to check its local configuration before checking SSSD for the IdM configuration.
  2. Add sudo to the list of services managed by the local SSSD client. 
    # vim /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = IPADOMAIN
    Copy to Clipboard Toggle word wrap
  3. Set a name for the NIS domain in the sudo configuration. sudo uses NIS-style netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IdM sudo configuration.
    1. Enable the rhel-domainname service if it is not already enabled to ensure that the NIS domain name will be persistent across reboots. 
      # systemctl enable rhel-domainname.service
      Copy to Clipboard Toggle word wrap
    2. Set the NIS domain name to use with the sudo rules. 
      # nisdomainname example.com
      Copy to Clipboard Toggle word wrap
    3. Configure the system authentication settings to persist the NIS domain name. For example: 
      # echo "NISDOMAIN=example.com" >> /etc/sysconfig/network
      Copy to Clipboard Toggle word wrap
      This updates the /etc/sysconfig/network and /etc/yp.conf files with the NIS domain.
    4. Restart the rhel-domainname service: 
      # systemctl restart rhel-domainname.service
      Copy to Clipboard Toggle word wrap
  4. Optionally, enable debugging in SSSD to show what LDAP settings it is using. 
    [domain/IPADOMAIN]
debug_level = 6
....
    Copy to Clipboard Toggle word wrap
    The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log log.
Important
Only use the LDAP-based configuration for clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 30.3.1.1, “Applying the sudo Policies to Hosts Using SSSD”.
For information on applying sudo policies using LDAP, see the Applying the sudo Policies to Hosts Using LDAP in the Red Hat Enterprise Linux 6 Identity Management Guide.
The LDAP-based configuration is expected to be used primarily for clients based on Red Hat Enterprise Linux versions earlier than Red Hat Enterprise Linux 7. It is therefore only described in the documentation for Red Hat Enterprise Linux 6.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat