[Freeipa-users] sudo made a bit easier to configure
Jan-Frode Myklebust
janfrode at tanso.net
Sun Apr 14 11:49:14 UTC 2013
On Thu, Dec 20, 2012 at 04:43:08PM +0100, Han Boetes wrote:
>
> I discovered that using this recipe makes setting up sudo-ldap very simple.
> Even when anonymous binds is disabled.
>
> TLS_CACERT /etc/ipa/ca.crt
> TLS_REQCERT demand
> SASL_MECH GSSAPI
> BASE dc=domain,dc=com
> URI ldap://auth-ipa.domain.com
> ROOTUSE_SASL on
> SUDOERS_BASE ou=SUDOers,dc=domain,dc=com
> SUDOERS_DEBUG 2
>
I really liked that this configuration didn't need a binddn/bindpw in
sudo-ldap.conf, but it only works for me if I do password login and is
issued a kerberos ticket on the host, and not if I do ssh pubkey/GSS-API
login to the host.
Do you have a pam config that issues kerberos ticket on sudo auth so
that it always works?
An even better config would be if we could use the host's keytab to bind
to LDAP here..
-jf
More information about the Freeipa-users
mailing list