[Freeipa-devel] [PATCH][DOC] Configure sudo for FreeIPA 3.1.5

Dean Hunter deanhunter at comcast.net
Tue Oct 22 11:12:09 UTC 2013 

On Tue, 2013-10-22 at 10:39 +0200, Martin Kosek wrote:

> On 10/22/2013 02:41 AM, Dean Hunter wrote:
> > This patch is only for the FreeIPA 3.1.5 User Guide. The 3.1.5 User
> > Guide currently has a procedure carried over from the 2.2 User Guide.
> > And the procedure will be different, again, for the 3.4 User Guide. The
> > procedure is based on
> > http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf.
> > 
> > https://fedorahosted.org/freeipa/ticket/3756
> 
> Hi Dean,
> 
> Thanks for the patch! I have few comments though.
> 
> 1) ipa-client-install in the first paragraph should be in <code>. I also think
> there should be a short introduction of the section instead of directly jumping
> to editing configs.
> 
> I think that a modification of the previous one would work. Something like that:
> ~~~
> Actually implementing sudo policies is more complicated than simply creating
> the rules in FreeIPA. Those rules need to be applied to every local machine,
> which means that each system in the FreeIPA domain has to be configured to
> refer to FreeIPA for its policies.
> 
> This example specifically configures a Fedora client for sudo rules. The sudo
> on client is configured to use SSSD as a source of the policies:
> ...
> ~~~


For this reason I considered moving the entire section to chapter 3,
Setting up Systems as FreeIPA Clients.


> 2) I see that in the configuration examples you already pasted executable
> scripts from your automation.
> 
> However, I think that the "echo" and "sed" like examples will not bring enough
> clarity for the users. I would rather prefer the standard examples (as in other
> places in the guide) showing how the file should look like and leave the
> automation on user (if he needs it), i.e.
> 
> ~~~
> vim /etc/nsswitch.conf
> 
> sudoers:  files ldap
> ~~~
> instead of
> 
> ~~~
> [root at ipaclient] ~]# echo "sudoers:    files sss" >>/etc/nsswitch.conf
> ~~~
> 
> or
> 
> ~~~
> [domain/example.com]
> krb5_server = ipa.example.com
> ldap_sasl_authid = host/hostname.example.com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_realm = EXAMPLE.COM
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
> ldap_uri = ldap://ipa.example.com
> sudo_provider = ldap
> ~~~
> 
> instead of
> 
> ~~~
> [root at ipaclient] ~]# sed "/^\[domain\/example.com\]/ a\\
> > krb5_server = ipa.example.com\\
> > ldap_sasl_authid = host/hostname.example.com\\
> > ldap_sasl_mech = GSSAPI\\
> > ldap_sasl_realm = EXAMPLE.COM\\
> > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\\
> > ldap_uri = ldap://ipa.example.com\\
> > sudo_provider = ldap" /etc/sssd/sssd.conf
> ~~~
> 
> etc.
> 
> This will make the examples easier to read and consistent with the rest of the
> guide.



"What" instead of "How", got it. So even "vim /etc/nsswitch.conf" should
not be specified, just list the changed lines of the affected file.


> Martin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131022/04816e57/attachment.htm>

More information about the Freeipa-devel mailing list