此内容没有您所选择的语言版本。
21.4. Configuring Hosts to Use IdM sudo Policies
Actually implementing
sudo policies is more complicated than simply creating the rules in IdM. Those rules need to be applied to every local machine, which means that each system in the IdM domain has to be configured to refer to IdM for its policies.
You can apply
sudo policies to hosts using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.
21.4.1. Applying the sudo Policies to Hosts Using SSSD
- Set up the host and
sudoentries in IdM.- Set up the
sudocommands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”. - Set up the
sudorules, as described in Section 21.3, “Defining sudo Rules”. - Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
- Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
- Configure every system in the IdM domain to use SSSD for
sudorules.Note
Only perform this step on systems based on Red Hat Enterprise Linux 6.5 and earlier. In Red Hat Enterprise Linux 6.6 and later, theipa-client-installutility configures SSSD as the data provider forsudoautomatically.- Configure
sudoto look to SSSD for thesudoersfile.vim /etc/nsswitch.conf sudoers: files sss
Leaving thefilesoption in place allowssudoto check its local configuration before checking SSSD for the IdM configuration. - Add
sudoto the list of services managed by the local SSSD client.[root@server ~]# vim /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam,
sudodomains = IPADOMAIN - Set a name for the NIS domain in the
sudoconfiguration.sudouses NIS-style netgroups, so the NIS domain name must be set in the system configuration forsudoto be able to find the host groups used in the IdMsudoconfiguration.- Set the NIS domain name to use with the
sudorules.[root@server ~]# nisdomainname example.com
- Configure the system authentication settings to persist the NIS domain name. For example:
[root@server ~]# echo "NISDOMAIN=example.com.com" >> /etc/sysconfig/network
This updates the/etc/sysconfig/networkand/etc/yp.conffiles with the NIS domain.
Note
Even thoughsudouses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, sosudorequires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
- Optionally, enable debugging in SSSD to show what LDAP settings it is using.
[domain/IPADOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_DOMAINNAME.logfile.
21.4.2. Applying the sudo Policies to Hosts Using LDAP
Important
Only use the LDAP-based configuration for clients running Red Hat Enterprise Linux 6.3 and earlier or clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 21.4.1, “Applying the
sudo Policies to Hosts Using SSSD”.
- Set up the host and sudo entries in IdM.
- Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
- Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
- Set up the
sudocommands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”. - Set up the
sudorules, as described in Section 21.3, “Defining sudo Rules”.
- Set up a bind (authenticated) user by setting a password for the default IdM
sudouser. The user must be able to authenticate to the server; anonymous access is not supported forsudopolicies.Using LDAP tools, set the password for thesudouser,uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com. For example:[jsmith@server ~]$ ldappasswd -Y GSSAPI -S -h ipaserver.example.com uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: - Configure every system in the IdM domain to use SSSD for sudo rules.
- Configure
sudoto look to LDAP for thesudoersfile.vim /etc/nsswitch.conf sudoers: files ldap
Leaving thefilesoption in place allowssudoto check its local configuration before checking the LDAP-based IdM configuration. - Enable debug logging for
sudooperations in the/etc/ldap.conffile. If this file does not exist, it can be created.vim /etc/ldap.conf sudoers_debug: 1
Note
Adding thesudoers_debugparameter helps with troubleshooting. Valid values for this parameter are 0, 1, and 2. Thesudodocumentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process. - Edit the NSS/LDAP configuration file and add the following
sudo-related lines to the/etc/sudo-ldap.conffile:binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw sudo_password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipaserver.example.com ldap://backup.example.com:3890 sudoers_base ou=SUDOers,dc=example,dc=com
Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. ThesudoLDAP configuration is covered in the sudooers.ldap(8) man page.Important
Theuridirective must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise,sudofails to connect to the LDAP server. - Optional. Enable debugging in SSSD to show what LDAP settings it is using.
[root@server ~]# vim /etc/sssd/sssd.conf [domain/LDAPDOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_DOMAINNAME.logfile. - Set a name for the NIS domain in the
sudoconfiguration.sudouses NIS-style netgroups, so the NIS domain name must be set in the system configuration forsudoto be able to find the host groups used in the IdMsudoconfiguration.- Set the NIS domain name to use with the
sudorules.[root@server ~]# nisdomainname example.com
- Configure the system authentication settings to persist the NIS domain name. For example:
[root@server ~]# echo "NISDOMAIN=example.com" >> /etc/sysconfig/network
This updates the/etc/sysconfig/networkand/etc/yp.conffiles with the NIS domain.
Note
Even thoughsudouses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, sosudorequires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
