30.3. Configuring the Location for Looking up sudo Policies

download PDF
The centralized IdM database for sudo configuration makes the sudo policies defined in IdM globally available to all domain hosts. On Red Hat Enterprise Linux 7.1 systems and later, the ipa-server-install and ipa-client-install utilities automatically configure the system to use the IdM-defined policies by setting SSSD as the data provider for sudo.
The location for looking up the sudo policies is defined on the sudoers line of the /etc/nsswitch.conf file. On IdM systems running Red Hat Enterprise Linux 7.1 and later, the default sudoers configuration in nsswitch.conf is:
sudoers: files sss
The files option specifies that the system uses the sudo configuration defined in the /etc/sudoers local SSSD configuration file. The sss option specifies that the sudo configuration defined in IdM is used.

30.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM

To implement the IdM-defined sudo policies on IdM systems running Red Hat Enterprise Linux versions earlier than 7.1, configure the local machines manually. You can do this using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration. Applying the sudo Policies to Hosts Using SSSD

Follow these steps on each system that is required to use SSSD for sudo rules:
  1. Configure sudo to look to SSSD for the sudoers file.
    # vim /etc/nsswitch.conf
    sudoers:  files sss
    Leaving the files option in place allows sudo to check its local configuration before checking SSSD for the IdM configuration.
  2. Add sudo to the list of services managed by the local SSSD client.
    # vim /etc/sssd/sssd.conf
    config_file_version = 2
    services = nss, pam, sudo
    domains = IPADOMAIN
  3. Set a name for the NIS domain in the sudo configuration. sudo uses NIS-style netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IdM sudo configuration.
    1. Enable the rhel-domainname service if it is not already enabled to ensure that the NIS domain name will be persistent across reboots.
      # systemctl enable rhel-domainname.service
    2. Set the NIS domain name to use with the sudo rules.
      # nisdomainname
    3. Configure the system authentication settings to persist the NIS domain name. For example:
      # echo "" >> /etc/sysconfig/network
      This updates the /etc/sysconfig/network and /etc/yp.conf files with the NIS domain.
    4. Restart the rhel-domainname service:
      # systemctl restart rhel-domainname.service
  4. Optionally, enable debugging in SSSD to show what LDAP settings it is using.
    debug_level = 6
    The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log log. Applying the sudo Policies to Hosts Using LDAP

Only use the LDAP-based configuration for clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section, “Applying the sudo Policies to Hosts Using SSSD”.
For information on applying sudo policies using LDAP, see the Applying the sudo Policies to Hosts Using LDAP in the Red Hat Enterprise Linux 6 Identity Management Guide.
The LDAP-based configuration is expected to be used primarily for clients based on Red Hat Enterprise Linux versions earlier than Red Hat Enterprise Linux 7. It is therefore only described in the documentation for Red Hat Enterprise Linux 6.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.