Chapter 30. Using sudo
Identity Management provides a mechanism for predictably and consistently applying
sudopolicies across the IdM domain. Every system in the IdM domain can be configured as a
sudo Utility in Identity Management
sudoutility gives administrative access to specified users. When trusted users precede an administrative command with
sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user. For more information about
sudo, see the System Administrator's Guide.
30.1.1. The Identity Management LDAP Schema for
IdM has a specialized LDAP schema for
sudoentries. The schema supports:
- Host groups as well as netgroups. Note that
sudoonly supports netgroups.
sudocommand groups, which contain multiple commands.
sudodoes not support host groups or command groups, IdM translates the IdM
sudoconfiguration into the native
sudoconfiguration when the
sudorules are created. For example, IdM creates a corresponding shadow netgroup for every host group, which allows the IdM administrator to create
sudorules that reference host groups, while the local
sudocommand uses the corresponding netgroup.
By default, the
sudoinformation is not available anonymously over LDAP. Therefore, IdM defines a default
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX. You can change this user in the LDAP
sudoconfiguration file at
30.1.2. NIS Domain Name Requirements
The NIS domain name must be set for netgroups and
sudoto work properly. The
sudoconfiguration requires NIS-formatted netgroups and a NIS domain name for netgroups. However, IdM does not require the NIS domain to actually exist. It is also not required to have a NIS server installed.
ipa-client-installutility sets a NIS domain name automatically to the IdM domain name by default.