이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 4. Configuring Red Hat Enterprise Linux 5 Servers for IPA Domain Services
4.1. Client Configuration for sudo Rules
This example specifically configures a Red Hat Enterprise Linux 5 client for sudo rules. The configuration file in step 4 is different, depending on the platform.
- Configure
sudoto look to LDAP for thesudoersfile.vim /etc/nsswitch.conf sudoers: files ldap
Leaving thefilesoption in place allowssudoto check its local configuration before checking the LDAP-based IPA configuration. - Enable debug logging for
sudooperations in the/etc/ldap.conffile. If this file does not exist, it can be created.vim /etc/ldap.conf sudoers_debug: 1
Note
Adding thesudoers_debugparameter helps with troubleshooting. Valid values for this parameter are 0,http://jboss-on-docs.etherpad.corp.redhat.com/10 1, and 2. Thesudodocumentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process. - Optionally, enable debugging in SSSD to show what LDAP settings it is using.
vim /etc/sssd/sssd.conf [domain/IPADOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_DOMAINNAME.loglog. - Edit the NSS/LDAP configuration file and add the following
sudo-related lines to the/etc/nss_ldap.conffile:sudoers_base ou=SUDOers,dc=example,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw sudo_password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipaserver.example.com ldap://backup.example.com:3890
Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. ThesudoLDAP configuration is covered in thesudomanpages, http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html.Important
Theuridirective must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise,sudofails to connect to the LDAP server. - Create a symlink between the
nss_ldapmodule configuration file and the system LDAP configuration file:# ln -s /etc/nss_ldap.conf /etc/ldap.conf
- Set a name for the NIS domain in the
sudoconfiguration.sudouses NIS netgroups, so the NIS domain name must be set in the system configuration forsudoto be able to find the host groups used in the IPAsudoconfiguration.- Open the
/etc/rc.d/rc.localfile. Setting the NIS domain name in this file allows the value to persist between reboots.# vim /etc/rc.d/rc.local
- Add the command to set the NIS domain name.
nisdomainname example.com
Important
Even thoughsudouses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, sosudorequires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
