30.3. Configuring the Location for Looking up sudo Policies
The centralized IdM database for
sudo configuration makes the sudo policies defined in IdM globally available to all domain hosts. On Red Hat Enterprise Linux 7.1 systems and later, the ipa-server-install and ipa-client-install utilities automatically configure the system to use the IdM-defined policies by setting SSSD as the data provider for sudo.
The location for looking up the
sudo policies is defined on the sudoers line of the /etc/nsswitch.conf file. On IdM systems running Red Hat Enterprise Linux 7.1 and later, the default sudoers configuration in nsswitch.conf is:
sudoers: files sss
The
files option specifies that the system uses the sudo configuration defined in the /etc/sudoers local SSSD configuration file. The sss option specifies that the sudo configuration defined in IdM is used.
30.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM
To implement the IdM-defined
sudo policies on IdM systems running Red Hat Enterprise Linux versions earlier than 7.1, configure the local machines manually. You can do this using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.
30.3.1.1. Applying the sudo Policies to Hosts Using SSSD
Follow these steps on each system that is required to use SSSD for
sudo rules:
- Configure
sudoto look to SSSD for thesudoersfile.# vim /etc/nsswitch.conf sudoers: files sss
Leaving thefilesoption in place allowssudoto check its local configuration before checking SSSD for the IdM configuration. - Add
sudoto the list of services managed by the local SSSD client.# vim /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam,
sudodomains = IPADOMAIN - Set a name for the NIS domain in the
sudoconfiguration.sudouses NIS-style netgroups, so the NIS domain name must be set in the system configuration forsudoto be able to find the host groups used in the IdMsudoconfiguration.- Enable the
rhel-domainnameservice if it is not already enabled to ensure that the NIS domain name will be persistent across reboots.# systemctl enable rhel-domainname.service
- Set the NIS domain name to use with the
sudorules.# nisdomainname example.com
- Configure the system authentication settings to persist the NIS domain name. For example:
# echo "NISDOMAIN=example.com" >> /etc/sysconfig/network
This updates the/etc/sysconfig/networkand/etc/yp.conffiles with the NIS domain. - Restart the
rhel-domainnameservice:# systemctl restart rhel-domainname.service
- Optionally, enable debugging in SSSD to show what LDAP settings it is using.
[domain/IPADOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_DOMAINNAME.loglog.
30.3.1.2. Applying the sudo Policies to Hosts Using LDAP
Important
Only use the LDAP-based configuration for clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 30.3.1.1, “Applying the
sudo Policies to Hosts Using SSSD”.
For information on applying
sudo policies using LDAP, see the Applying the sudo Policies to Hosts Using LDAP in the Red Hat Enterprise Linux 6 Identity Management Guide.
The LDAP-based configuration is expected to be used primarily for clients based on Red Hat Enterprise Linux versions earlier than Red Hat Enterprise Linux 7. It is therefore only described in the documentation for Red Hat Enterprise Linux 6.
