Chapter 4. Configuring Red Hat Enterprise Linux 5 Servers for IPA Domain Services
4.1. Client Configuration for sudo Rules
This example specifically configures a Red Hat Enterprise Linux 5 client for sudo rules. The configuration file in step 4 is different, depending on the platform.
- Configure
sudo
to look to LDAP for thesudoers
file.vim /etc/nsswitch.conf sudoers: files ldap
Leaving thefiles
option in place allowssudo
to check its local configuration before checking the LDAP-based IPA configuration. - Enable debug logging for
sudo
operations in the/etc/ldap.conf
file. If this file does not exist, it can be created.vim /etc/ldap.conf sudoers_debug: 1
Note
Adding thesudoers_debug
parameter helps with troubleshooting. Valid values for this parameter are 0,http://jboss-on-docs.etherpad.corp.redhat.com/10 1, and 2. Thesudo
documentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process. - Optionally, enable debugging in SSSD to show what LDAP settings it is using.
vim /etc/sssd/sssd.conf [domain/IPADOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_
DOMAINNAME.log
log. - Edit the NSS/LDAP configuration file and add the following
sudo
-related lines to the/etc/nss_ldap.conf
file:sudoers_base ou=SUDOers,dc=example,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw sudo_password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipaserver.example.com ldap://backup.example.com:3890
Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. Thesudo
LDAP configuration is covered in thesudo
manpages, http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html.Important
Theuri
directive must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise,sudo
fails to connect to the LDAP server. - Create a symlink between the
nss_ldap
module configuration file and the system LDAP configuration file:# ln -s /etc/nss_ldap.conf /etc/ldap.conf
- Set a name for the NIS domain in the
sudo
configuration.sudo
uses NIS netgroups, so the NIS domain name must be set in the system configuration forsudo
to be able to find the host groups used in the IPAsudo
configuration.- Open the
/etc/rc.d/rc.local
file. Setting the NIS domain name in this file allows the value to persist between reboots.# vim /etc/rc.d/rc.local
- Add the command to set the NIS domain name.
nisdomainname example.com
Important
Even thoughsudo
uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, sosudo
requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.