Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

21.4. Configuring Hosts to Use IdM sudo Policies

Actually implementing sudo policies is more complicated than simply creating the rules in IdM. Those rules need to be applied to every local machine, which means that each system in the IdM domain has to be configured to refer to IdM for its policies.
You can apply sudo policies to hosts using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.

21.4.1. Applying the sudo Policies to Hosts Using SSSD

  1. Set up the host and sudo entries in IdM.
    1. Set up the sudo commands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”.
    2. Set up the sudo rules, as described in Section 21.3, “Defining sudo Rules”.
    3. Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
    4. Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
  2. Configure every system in the IdM domain to use SSSD for sudo rules.

    Note

    Only perform this step on systems based on Red Hat Enterprise Linux 6.5 and earlier. In Red Hat Enterprise Linux 6.6 and later, the ipa-client-install utility configures SSSD as the data provider for sudo automatically.
    1. Configure sudo to look to SSSD for the sudoers file.
      vim /etc/nsswitch.conf
      
      sudoers:  files sss
      Leaving the files option in place allows sudo to check its local configuration before checking SSSD for the IdM configuration.
    2. Add sudo to the list of services managed by the local SSSD client.
      [root@server ~]# vim /etc/sssd/sssd.conf
      
      [sssd]
      config_file_version = 2
      services = nss, pam, sudo
      domains = IPADOMAIN
    3. Set a name for the NIS domain in the sudo configuration. sudo uses NIS-style netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IdM sudo configuration.
      1. Set the NIS domain name to use with the sudo rules.
        [root@server ~]# nisdomainname example.com
      2. Configure the system authentication settings to persist the NIS domain name. For example:
        [root@server ~]# echo "NISDOMAIN=example.com.com" >> /etc/sysconfig/network
        This updates the /etc/sysconfig/network and /etc/yp.conf files with the NIS domain.

      Note

      Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
  3. Optionally, enable debugging in SSSD to show what LDAP settings it is using.
    [domain/IPADOMAIN]
    debug_level = 6
    ....
    The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log file.

21.4.2. Applying the sudo Policies to Hosts Using LDAP

Important

Only use the LDAP-based configuration for clients running Red Hat Enterprise Linux 6.3 and earlier or clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 21.4.1, “Applying the sudo Policies to Hosts Using SSSD”.
  1. Set up the host and sudo entries in IdM.
    1. Optional. Set up a host group, as described in Section 10.7, “Managing Host Groups”.
    2. Optional. Create a user group and add the users, as described in Section 9.11.2.1, “Creating User Groups”.
    3. Set up the sudo commands and command groups, as described in Section 21.2, “Setting up sudo Commands and Command Groups”.
    4. Set up the sudo rules, as described in Section 21.3, “Defining sudo Rules”.
  2. Set up a bind (authenticated) user by setting a password for the default IdM sudo user. The user must be able to authenticate to the server; anonymous access is not supported for sudo policies.
    Using LDAP tools, set the password for the sudo user, uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com. For example:
    [jsmith@server ~]$ ldappasswd -Y GSSAPI -S -h ipaserver.example.com uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
        New password: 
        Re-enter new password: 
        Enter LDAP Password:
  3. Configure every system in the IdM domain to use SSSD for sudo rules.
    1. Configure sudo to look to LDAP for the sudoers file.
      vim /etc/nsswitch.conf
      
      sudoers:  files ldap
      Leaving the files option in place allows sudo to check its local configuration before checking the LDAP-based IdM configuration.
    2. Enable debug logging for sudo operations in the /etc/ldap.conf file. If this file does not exist, it can be created.
      vim /etc/ldap.conf
      
      sudoers_debug: 1

      Note

      Adding the sudoers_debug parameter helps with troubleshooting. Valid values for this parameter are 0, 1, and 2. The sudo documentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process.
    3. Edit the NSS/LDAP configuration file and add the following sudo-related lines to the /etc/sudo-ldap.conf file:
      binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
      bindpw sudo_password
      
      ssl start_tls
      tls_cacertfile /etc/ipa/ca.crt
      tls_checkpeer yes
      
      bind_timelimit 5
      timelimit 15
      
      uri ldap://ipaserver.example.com ldap://backup.example.com:3890
      sudoers_base ou=SUDOers,dc=example,dc=com
      Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. The sudo LDAP configuration is covered in the sudooers.ldap(8) man page.

      Important

      The uri directive must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise, sudo fails to connect to the LDAP server.
    4. Optional. Enable debugging in SSSD to show what LDAP settings it is using.
      [root@server ~]# vim /etc/sssd/sssd.conf
      
      [domain/LDAPDOMAIN]
      debug_level = 6
      ....
      The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log file.
    5. Set a name for the NIS domain in the sudo configuration. sudo uses NIS-style netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IdM sudo configuration.
      1. Set the NIS domain name to use with the sudo rules.
        [root@server ~]# nisdomainname example.com
      2. Configure the system authentication settings to persist the NIS domain name. For example:
        [root@server ~]# echo "NISDOMAIN=example.com" >> /etc/sysconfig/network
        This updates the /etc/sysconfig/network and /etc/yp.conf files with the NIS domain.

      Note

      Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.