Chapter 30. Using sudo

Identity Management provides a mechanism for predictably and consistently applying sudo policies across the IdM domain. Every system in the IdM domain can be configured as a sudo client.

30.1. The sudo Utility in Identity Management

The sudo utility gives administrative access to specified users. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user. For more information about sudo, see the System Administrator's Guide.

30.1.1. The Identity Management LDAP Schema for sudo

IdM has a specialized LDAP schema for sudo entries. The schema supports:
  • Host groups as well as netgroups. Note that sudo only supports netgroups.
  • sudo command groups, which contain multiple commands.


Because sudo does not support host groups or command groups, IdM translates the IdM sudo configuration into the native sudo configuration when the sudo rules are created. For example, IdM creates a corresponding shadow netgroup for every host group, which allows the IdM administrator to create sudo rules that reference host groups, while the local sudo command uses the corresponding netgroup.
By default, the sudo information is not available anonymously over LDAP. Therefore, IdM defines a default sudo user at uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX. You can change this user in the LDAP sudo configuration file at /etc/sudo-ldap.conf.

30.1.2. NIS Domain Name Requirements

The NIS domain name must be set for netgroups and sudo to work properly. The sudo configuration requires NIS-formatted netgroups and a NIS domain name for netgroups. However, IdM does not require the NIS domain to actually exist. It is also not required to have a NIS server installed.


The ipa-client-install utility sets a NIS domain name automatically to the IdM domain name by default.