Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
13.2.8. Configuring Services: sudo
About sudo, LDAP, and SSSD
sudo rules are defined in the sudoers file, which must be distributed separately to every machine to maintain consistency.
One way for administrators to manage that for large environments is to store the
sudo configuration in a central LDAP directory, and just configure each local system to point to that LDAP directory. That means that updates only need to be made in a single location, and any new rules are automatically recognized by local systems.
For
sudo-LDAP configuration, each sudo rule is stored as an LDAP entry, with each component of the sudo rule defined in an LDAP attribute.
The
sudoers rule looks like this:
Defaults env_keep+=SSH_AUTH_SOCK ... %wheel ALL=(ALL) ALL
Defaults env_keep+=SSH_AUTH_SOCK
...
%wheel ALL=(ALL) ALL
The LDAP entry looks like this:
sudo defaults sudo rule
# sudo defaults
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions go here
sudoOption: env_keep+=SSH_AUTH_SOCK
# sudo rule
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALLNote
SSSD only caches
sudo rules which apply to the local system, depending on the value of the sudoHost attribute. This can mean that the sudoHost value is set to ALL, uses a regular expression that matches the host name, matches the systems netgroup, or matches the systems host name, fully qualified domain name, or IP address.
The
sudo service can be configured to point to an LDAP server and to pull its rule configuration from those LDAP entries. Rather than pointing the sudo configuration to the LDAP directory, it can be configured to point to SSSD. SSSD, then, stores all of the information that sudo needs, and every time a user attempts a sudo-related operation, the latest sudo configuration can be pulled from the LDAP directory (through SSSD). SSSD, however, also caches all of the sudo riles, so that users can perform tasks, using that centralized LDAP configuration, even if the LDAP server goes offline.
Procedure 13.5. Configuring sudo with SSSD
All of the SSSD
sudo configuration options are listed in the sssd-ldap(5) man page.
- Make sure that the sssd-common package is installed.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ~]$ rpm -q sssd-common
~]$ rpm -q sssd-common - Open the
sssd.conffile.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ~]# vim /etc/sssd/sssd.conf
~]# vim /etc/sssd/sssd.conf - Add the
sudoservice to the list of services that SSSD manages.Copy to Clipboard Copied! Toggle word wrap Toggle overflow [sssd] services = nss,pam,sudo ....
[sssd] services = nss,pam,sudo .... - Create a new
[sudo]service configuration section. This section can be left blank; there is only one configurable option, for evaluating the sudo not before/after period.This section is required, however, for SSSD to recognize thesudoservice and supply the default configuration.Copy to Clipboard Copied! Toggle word wrap Toggle overflow [sudo]
[sudo] - The
sudoinformation is read from a configured LDAP domain in the SSSD configuration, so an LDAP domain must be available. For an LDAP provider, these parameters are required:- The directory type,
sudo_provider; this is alwaysldap. - The search base,
ldap_sudo_search_base. - The URI for the LDAP server,
ldap_uri.
For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow [domain/LDAP] id_provider = ldap sudo_provider = ldap ldap_uri = ldap://example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
[domain/LDAP] id_provider = ldap sudo_provider = ldap ldap_uri = ldap://example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=comFor an Identity Management (IdM or IPA) provider, there are additional parameters required to perform Kerberos authentication when connecting to the server.Copy to Clipboard Copied! Toggle word wrap Toggle overflow [domain/IDM] id_provider = ipa ipa_domain = example.com ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com
[domain/IDM] id_provider = ipa ipa_domain = example.com ipa_server = ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.comNote
Thesudo_providertype for an Identity Management provider is stillldap. - Set the intervals to use to refresh the
sudorule cache.The cache for a specific system user is always checked and updated whenever that user performs a task. However, SSSD caches all rules which relate to the local system. That complete cache is updated in two ways:- Incrementally, meaning only changes to rules since the last full update (
ldap_sudo_smart_refresh_interval, the time in seconds); the default is 15 minutes, - Fully, which dumps the entire caches and pulls in all of the current rules on the LDAP server(
ldap_sudo_full_refresh_interval, the time in seconds); the default is six hours.
These two refresh intervals are set separately. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow [domain/LDAP] ... ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=3600
[domain/LDAP] ... ldap_sudo_full_refresh_interval=86400 ldap_sudo_smart_refresh_interval=3600Note
SSSD only cachessudorules which apply to the local system. This can mean that thesudoHostvalue is set to ALL, uses a regular expression that matches the host name, matches the systems netgroup, or matches the systems host name, fully qualified domain name, or IP address. - Optionally, set any values to change the schema used for
sudorules.Schema elements are set in theldap_sudorule_*attributes. By default, all of the schema elements use the schema defined in sudoers.ldap; these defaults will be used in almost all deployments. - Save and close the
sssd.conffile. - Configure
sudoto look for rules configuration in SSSD by editing thensswitch.conffile and adding thessslocation:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ~]# vim /etc/nsswitch.conf sudoers: files sss
~]# vim /etc/nsswitch.conf sudoers: files sss - Restart SSSD.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ~]# service sssd restart
~]# service sssd restart
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}