Sudo-plugin Client Configuration: SSSD

To make use of the sudo rules on your client machines, you will have to direct the clients where to look for the sudo_provider. The following assumes use of SSSD as the LDAP client package.

Confirm Packages

If you are using SSSD as your client package, you should already have this installed, but confirm it now:

RHEL / CentOS
yum install sssd-common
Debian: TODO
**Debian User Please Edit**

Configure Services

The SSSD Services must be configured to accept sudo as a service provided by the LDAP server.

(NOTE:This was tested on a RHEL/CentOS Machine but should be valid for other distributions using sssd as an LDAP client as well.)

Edit the following config file: /etc/sssd/sssd.conf Add “sudo” to the list of Services under the “[sssd]” domain. note: The other parts of listed below were default entries, your's may vary, the important part is adding “sudo” under “services”

[sssd]
config_file_version = 2
services = nss, pam, sudo

Add a configuration section for sudo to /etc/sssd/sssd.conf.

# Default Entries
[nss]
 
[pam]
 
# Added Entry:
[sudo]

Configure Provider

Now that the services are configured, you will have to tell your client where to look for the sudo rules.

Edit /etc/sssd/sssd.conf, and ad the provider information to your LDAP Domain:

# This is part of the basic configuration, provided for context
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com:389
ldap_search_base = dc=example,dc=com
enumerate = True
 
# This is the information we are concerned about
sudo_provider = ldap
ldap_sudo_search_base = out=sudoers,dc=example,dc=com

Configure nsswitch

Edit /etc/nsswitch.conf

Add sudoers to your list of services, with sssd present. In the example below the system will consult the local sudoers file first, and then query sssd(ldap) for sudoer rules if nothing is found locally.

# Provided for context
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   sss files
 
# Part added:
sudoers: files sss

Now restart your sssd service, your sudo rules should now be working!

service sssd restart
en/documentation/plugin/sudo_plugin/sssd_client_configuration.txt · Last modified: 2017/10/31 10:32 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0