Table of Contents
Sudo-plugin Client Configuration: SSSD
To make use of the sudo rules on your client machines, you will have to direct the clients where to look for the sudo_provider. The following assumes use of SSSD as the LDAP client package.
If you are using SSSD as your client package, you should already have this installed, but confirm it now:
RHEL / CentOS
yum install sssd-common
**Debian User Please Edit**
The SSSD Services must be configured to accept sudo as a service provided by the LDAP server.
(NOTE:This was tested on a RHEL/CentOS Machine but should be valid for other distributions using sssd as an LDAP client as well.)
Edit the following config file: /etc/sssd/sssd.conf Add “sudo” to the list of Services under the “[sssd]” domain. note: The other parts of listed below were default entries, your's may vary, the important part is adding “sudo” under “services”
[sssd] config_file_version = 2 services = nss, pam, sudo
Add a configuration section for sudo to /etc/sssd/sssd.conf.
# Default Entries [nss] [pam] # Added Entry: [sudo]
Now that the services are configured, you will have to tell your client where to look for the sudo rules.
Edit /etc/sssd/sssd.conf, and ad the provider information to your LDAP Domain:
# This is part of the basic configuration, provided for context [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://ldap.example.com:389 ldap_search_base = dc=example,dc=com enumerate = True # This is the information we are concerned about sudo_provider = ldap ldap_sudo_search_base = out=sudoers,dc=example,dc=com
Add sudoers to your list of services, with sssd present. In the example below the system will consult the local sudoers file first, and then query sssd(ldap) for sudoer rules if nothing is found locally.
# Provided for context ethers: files netmasks: files networks: files protocols: files rpc: files services: sss files # Part added: sudoers: files sss
Now restart your sssd service, your sudo rules should now be working!
service sssd restart