30.3. Configuring the Location for Looking up sudo Policies
The centralized IdM database for
sudoconfiguration makes the
sudopolicies defined in IdM globally available to all domain hosts. On Red Hat Enterprise Linux 7.1 systems and later, the
ipa-client-installutilities automatically configure the system to use the IdM-defined policies by setting SSSD as the data provider for
The location for looking up the
sudopolicies is defined on the
sudoersline of the
/etc/nsswitch.conffile. On IdM systems running Red Hat Enterprise Linux 7.1 and later, the default
sudoers: files sss
filesoption specifies that the system uses the
sudoconfiguration defined in the
/etc/sudoerslocal SSSD configuration file. The
sssoption specifies that the
sudoconfiguration defined in IdM is used.
30.3.1. Configuring Hosts to Use IdM
sudo Policies in Earlier Versions of IdM
To implement the IdM-defined
sudopolicies on IdM systems running Red Hat Enterprise Linux versions earlier than 7.1, configure the local machines manually. You can do this using SSSD or LDAP. Red Hat strongly recommends to use the SSSD-based configuration.
220.127.116.11. Applying the
sudo Policies to Hosts Using SSSD
Follow these steps on each system that is required to use SSSD for
sudoto look to SSSD for the
# vim /etc/nsswitch.conf sudoers: files sssLeaving the
filesoption in place allows
sudoto check its local configuration before checking SSSD for the IdM configuration.
sudoto the list of services managed by the local SSSD client.
# vim /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam,
sudodomains = IPADOMAIN
- Set a name for the NIS domain in the
sudouses NIS-style netgroups, so the NIS domain name must be set in the system configuration for
sudoto be able to find the host groups used in the IdM
- Enable the
rhel-domainnameservice if it is not already enabled to ensure that the NIS domain name will be persistent across reboots.
# systemctl enable rhel-domainname.service
- Set the NIS domain name to use with the
# nisdomainname example.com
- Configure the system authentication settings to persist the NIS domain name. For example:
# echo "NISDOMAIN=example.com" >> /etc/sysconfig/networkThis updates the
/etc/yp.conffiles with the NIS domain.
- Restart the
# systemctl restart rhel-domainname.service
- Optionally, enable debugging in SSSD to show what LDAP settings it is using.
[domain/IPADOMAIN] debug_level = 6 ....The LDAP search base used by SSSD for operations is recorded in the
18.104.22.168. Applying the sudo Policies to Hosts Using LDAP
Only use the LDAP-based configuration for clients that do not use SSSD. Red Hat recommends to configure all other clients using the SSSD-based configuration, as described in Section 22.214.171.124, “Applying the
sudoPolicies to Hosts Using SSSD”.
For information on applying
sudopolicies using LDAP, see the Applying the sudo Policies to Hosts Using LDAP in the Red Hat Enterprise Linux 6 Identity Management Guide.
The LDAP-based configuration is expected to be used primarily for clients based on Red Hat Enterprise Linux versions earlier than Red Hat Enterprise Linux 7. It is therefore only described in the documentation for Red Hat Enterprise Linux 6.