[Freeipa-devel] ipa-client-install sudoers + automount

Wed Oct 12 13:49:34 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is there a reason that ipa-client-install does not configure nsswitch
for ldap sudoers and automount by default? I would see such a
modification as a feature for this, rather than a negative.

Alternately, this could be added as a module to ipa command to
"autoconfigure" these for a joined host.

In order to implement this one would need write into ipa-client-install:

* Add ldap to sudoers and automount in nsswitch
* Generate configuration for Automount in a way similar to
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
** Automount could setup the location at this point.
* Generate configuration for nss_ldap.conf for sudoers according to
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/example-configuring-sudo.html
** This could use the static sudo password method as listed, and would
involve adding these lines to the nss_ldap configuration in
ipa-client-install. Some kind of RPC call could be made to retrieve
the sudo password using the admin ticket.

ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=x
bindpw testpassword

** Alternately, nss_ldap can use kerberos caches for SASL binds.

sudoers_base ou=SUDOers,dc=x
use_sasl on
krb5_ccname FILE:/etc/.ldapsearch

The later requires the kerberos cache to be primed and added to cron
with something like:

kinit -k host/client3.ipa.x -c /etc/.ldapsearch

* nss_ldap configuration would be part of the default install,
regardless of SSSD presence (ldap would not be listed in nsswitch for
users or groups however)

Nslcd does not support the sudoers option as far as my research tells
me. It would also mean that nss_ldap becomes a dependency, rather than
optional. Nslcd also supports sasl for ldap.

Of the sudo bindpw or krb5_cc method in nss_ldap which is preferred?

- -- 
Sincerely,

William Brown

Research and Teaching
Information and Technology Services
The University of Adelaide

CRICOS Provider Number 00123M
- -----------------------------------------------------------
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all copies and advise the sender. For the purposes of the SPAM Act
2003, this email is authorised by The University of Adelaide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOlZroAAoJEKcRRTun3Hg9GEQQAIpjeWpmR19G9MoikRZiTA+F
RTX7WVA4/AwO7OCQG/elQb8/2TnJb3r0UnuJfMJhgHX6Gac+4CMYdCSoRsbpK19I
VOZGqAuZMAAca+7Gc80CehxbcZ5dGQWtkfLDzWlRQDj8tRitGhSNUZfkwUZgvUFf
XtDEARrpYwNGixsF41zNr4sjR+L7T+ir0Ugm0B3cQS6zCgCpdbflPejEpvUTxPWq
T5vb3BeRVqgAmQ/fltoVIDmaZ+pORFlOTyEYU/kb2HybBpAwLvM/QPykCZpAOx7a
OeGko94lbm3J7FuajPvtWkC4/kNMx0lMrAKOgdoP/qOhjfc3kVD7TtNgsme7+7jU
oJaTkyQJe2qcFQYcvIXrVHw4fmeWRzmNnZ1JUoKMizditQzyCe7Qvi++FqFJsgSn
pa1z9TBaEum1B9CaVuXb7CQvj5jW3Xtr8Sc0sP/gsJDdgxS1D9jEZGvDRO8gEth2
pEMjb+rC1D36Q2gOnbtvMmPVJnQb9BXJLS7ZsYP7niIK0FEFOaxubQDesm3Edzmz
a8ng1mjHU5/a45F4OyjtTYCXaMT1sO0PafC34cypA/arAWlY1c0WXasonhifZznw
iZvtkAAQTo5tY+ce9hidnkxhMyCjXVvGXH5iPkrtqIxU1OMBqeyvMag+IMrMnmfm
qDjCNAIvdbP0lCLnnGpa
=vWZj
-----END PGP SIGNATURE-----