Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

21.4. Configuring Hosts to Use IdM sudo Policies

Actually implementing sudo policies is more complicated than simply creating the rules in IdM. Those rules need to be applied to every local machine, which means that each system in the IdM domain has to be configured to refer to IdM for its policies.
You can apply sudo policies to hosts using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.

21.4.1. Applying the sudo Policies to Hosts Using SSSD
Copia collegamento

  1. Set up the host and sudo entries in IdM.
    1. Set up the sudo commands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”.
    2. Set up the sudo rules, as described in Section 21.3, “Defining sudo Rules”.
    3. Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
    4. Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
  2. Configure every system in the IdM domain to use SSSD for sudo rules.

    Note

    Only perform this step on systems based on Red Hat Enterprise Linux 6.5 and earlier. In Red Hat Enterprise Linux 6.6 and later, the ipa-client-install utility configures SSSD as the data provider for sudo automatically.
    1. Configure sudo to look to SSSD for the sudoers file. 
      vim /etc/nsswitch.conf

sudoers:  files sss
      Copy to Clipboard Toggle word wrap
      Leaving the files option in place allows sudo to check its local configuration before checking SSSD for the IdM configuration.
    2. Add sudo to the list of services managed by the local SSSD client. 
      [root@server ~]# vim /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = IPADOMAIN
      Copy to Clipboard Toggle word wrap
    3. Set a name for the NIS domain in the sudo configuration. sudo uses NIS-style netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IdM sudo configuration.
      1. Set the NIS domain name to use with the sudo rules. 
        [root@server ~]# nisdomainname example.com
        Copy to Clipboard Toggle word wrap
      2. Configure the system authentication settings to persist the NIS domain name. For example: 
        [root@server ~]# echo "NISDOMAIN=example.com.com" >> /etc/sysconfig/network
        Copy to Clipboard Toggle word wrap
        This updates the /etc/sysconfig/network and /etc/yp.conf files with the NIS domain.

      Note

      Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
  3. Optionally, enable debugging in SSSD to show what LDAP settings it is using. 
    [domain/IPADOMAIN]
debug_level = 6
....
    Copy to Clipboard Toggle word wrap
    The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log file.

21.4.2. Applying the sudo Policies to Hosts Using LDAP
Copia collegamento

Important

Only use the LDAP-based configuration for clients running Red Hat Enterprise Linux 6.3 and earlier or clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 21.4.1, “Applying the sudo Policies to Hosts Using SSSD”.
  1. Set up the host and sudo entries in IdM.
    1. Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
    2. Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
    3. Set up the sudo commands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”.
    4. Set up the sudo rules, as described in Section 21.3, “Defining sudo Rules”.
  2. Set up a bind (authenticated) user by setting a password for the default IdM sudo user. The user must be able to authenticate to the server; anonymous access is not supported for sudo policies.
    Using LDAP tools, set the password for the sudo user, uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com. For example: 
    [jsmith@server ~]$ ldappasswd -Y GSSAPI -S -h ipaserver.example.com uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
    New password: 
    Re-enter new password: 
    Enter LDAP Password:
    Copy to Clipboard Toggle word wrap
  3. Configure every system in the IdM domain to use SSSD for sudo rules.
    1. Configure sudo to look to LDAP for the sudoers file. 
      vim /etc/nsswitch.conf

sudoers:  files ldap
      Copy to Clipboard Toggle word wrap
      Leaving the files option in place allows sudo to check its local configuration before checking the LDAP-based IdM configuration.
    2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If this file does not exist, it can be created. 
      vim /etc/ldap.conf

sudoers_debug: 1
      Copy to Clipboard Toggle word wrap

      Note

      Adding the sudoers_debug parameter helps with troubleshooting. Valid values for this parameter are 0, 1, and 2. The sudo documentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process.
    3. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the /etc/sudo-ldap.conf file: 
      binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw sudo_password

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

bind_timelimit 5
timelimit 15

uri ldap://ipaserver.example.com ldap://backup.example.com:3890
sudoers_base ou=SUDOers,dc=example,dc=com
      Copy to Clipboard Toggle word wrap
      Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. The sudo LDAP configuration is covered in the sudooers.ldap(8) man page.

      Important

      The uri directive must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise, sudo fails to connect to the LDAP server.
    4. Optional. Enable debugging in SSSD to show what LDAP settings it is using. 
      [root@server ~]# vim /etc/sssd/sssd.conf

[domain/LDAPDOMAIN]
debug_level = 6
....
      Copy to Clipboard Toggle word wrap
      The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log file.
    5. Set a name for the NIS domain in the sudo configuration. sudo uses NIS-style netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IdM sudo configuration.
      1. Set the NIS domain name to use with the sudo rules. 
        [root@server ~]# nisdomainname example.com
        Copy to Clipboard Toggle word wrap
      2. Configure the system authentication settings to persist the NIS domain name. For example: 
        [root@server ~]# echo "NISDOMAIN=example.com" >> /etc/sysconfig/network
        Copy to Clipboard Toggle word wrap
        This updates the /etc/sysconfig/network and /etc/yp.conf files with the NIS domain.

      Note

      Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat