From Fedora Project Wiki
Description
Offline access to sudo rules.
Setup
- Make sure you have sudo 1.8.6 rc3 or later installed (Koji build).
- Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
- Install FreeIPA server with DNS on one machine,
server.ipa.example.com
, and FreeIPA client on another machine,client.ipa.example.com
(see Basic installation tests).
How to test
Configure SSSD
On client.ipa.example.com
, you have to make some changes to /etc/sssd/sssd.conf
.
Make sure the sudo service is enabled in the [sssd]
section:
[sssd] ... services = nss, pam, ssh, sudo ...
In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo
for more information):
[domain/IPA.EXAMPLE.COM] ... sudo_provider = ldap ldap_uri = ldap://server.ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/client.ipa.example.com ldap_sasl_realm = IPA.EXAMPLE.COM krb5_server = server.ipa.example.com ...
Configure sudo to use SSSD as a sudoers source in /etc/nsswitch.conf
:
sudoers: files sss
Finally, restart SSSD:
root@client# service sssd restart
Sudo testing
TODO.
Expected Results
All the test steps should end with the specified results.