30.3. Configuring the Location for Looking up sudo Policies

The centralized IdM database for sudo configuration makes the sudo policies defined in IdM globally available to all domain hosts. On Red Hat Enterprise Linux 7.1 systems and later, the ipa-server-install and ipa-client-install utilities automatically configure the system to use the IdM-defined policies by setting SSSD as the data provider for sudo.
The location for looking up the sudo policies is defined on the sudoers line of the /etc/nsswitch.conf file. On IdM systems running Red Hat Enterprise Linux 7.1 and later, the default sudoers configuration in nsswitch.conf is:
sudoers: files sss
The files option specifies that the system uses the sudo configuration defined in the /etc/sudoers local SSSD configuration file. The sss option specifies that the sudo configuration defined in IdM is used.

30.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM

To implement the IdM-defined sudo policies on IdM systems running Red Hat Enterprise Linux versions earlier than 7.1, configure the local machines manually. You can do this using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.

30.3.1.1. Applying the sudo Policies to Hosts Using SSSD

Follow these steps on each system that is required to use SSSD for sudo rules:
  1. Configure sudo to look to SSSD for the sudoers file.
    # vim /etc/nsswitch.conf
    
    sudoers:  files sss
    Leaving the files option in place allows sudo to check its local configuration before checking SSSD for the IdM configuration.
  2. Add sudo to the list of services managed by the local SSSD client.
    # vim /etc/sssd/sssd.conf
    
    [sssd]
    config_file_version = 2
    services = nss, pam, sudo
    domains = IPADOMAIN
  3. Set a name for the NIS domain in the sudo configuration. sudo uses NIS-style netgroups, so the NIS domain name must be set in the system configuration for sudo to be able to find the host groups used in the IdM sudo configuration.
    1. Enable the rhel-domainname service if it is not already enabled to ensure that the NIS domain name will be persistent across reboots.
      # systemctl enable rhel-domainname.service
    2. Set the NIS domain name to use with the sudo rules.
      # nisdomainname example.com
    3. Configure the system authentication settings to persist the NIS domain name. For example:
      # echo "NISDOMAIN=example.com" >> /etc/sysconfig/network
      This updates the /etc/sysconfig/network and /etc/yp.conf files with the NIS domain.
  4. Optionally, enable debugging in SSSD to show what LDAP settings it is using.
    [domain/IPADOMAIN]
    debug_level = 6
    ....
    The LDAP search base used by SSSD for operations is recorded in the sssd_DOMAINNAME.log log.

30.3.1.2. Applying the sudo Policies to Hosts Using LDAP

Important

Only use the LDAP-based configuration for clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 30.3.1.1, “Applying the sudo Policies to Hosts Using SSSD”.
For information on applying sudo policies using LDAP, see the Identity Management Guide for Red Hat Enterprise Linux 6.
The LDAP-based configuration is expected to be used primarily for clients based on Red Hat Enterprise Linux versions earlier than Red Hat Enterprise Linux 7. It is therefore only described in the documentation for Red Hat Enterprise Linux 6.