Bug 1123442

Summary: Applying the Configured sudo Policies to Hosts Using SSSD section do not mention sudo_provider nor ldap_sasl_mech
Product: Red Hat Enterprise Linux 6 Reporter: Javier Ramirez <javier.ramirez>
Component: doc-Identity_Management_GuideAssignee: Tomas Capek <tcapek>
Status: CLOSED NOTABUG QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: jhrozek
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-31 17:01:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Javier Ramirez 2014-07-25 16:10:47 UTC 
Description of problem:

The RHEL6 Identity Management Guide, chapter 20.4.2 , "Applying the Configured sudo Policies to Hosts Using SSSD" provides instructions on how to configure sudo to use SSSD.  However, these instructions do not work unless the following parameters are set inside the [domain/example.com] of sssd.conf:

sudo_provider = ldap
ldap_sasl_mech = GSSAPI

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6.5
Identity Management Guide
Managing Identity and Authorization Policies for Linux-Based Infrastructures
Edition 3.0.0

How reproducible:
Always

Steps to Reproduce:
1. Follow documentation at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/config-sudo-clients.html#example-configuring-sudo-sssd
2. Try to sudo


Actual results:
Sudo rules are not retrieved from ipa server

Expected results:
Error should not occur, and if sudo is properly configured, access should be granted.

Additional info:
According to sssd-ldap manpage:
- sudo_provider default value is based on id_provider and we set that to ipa, while it needs to be ldap because ipa sudo provider is not yet working on current versions of sssd.
- ldap_sasl_mech default value is "not set" but we only support GSSAPI
Comment 2 Javier Ramirez 2014-07-28 07:07:22 UTC 
Maybe is also a good idea to mention that there are some other parameters which default values could not match your environment and could require adjustments:

ldap_uri = ldap://ipa-server.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_authid = host/ipa-client.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa-server.example.com

Check man sssd-ldap to check for the default options.
Comment 3 Tomas Capek 2014-07-31 17:01:49 UTC 
I spoke with Jakub (cc'd) and he confirmed that in RHEL 6.6, the mentioned configuration will be added automatically if missing, which fixes this problem.

Therefore, there is no actual impact on documentation.
Comment 4 Jakub Hrozek 2014-08-01 09:14:38 UTC 
In the meantime, this issue might be a nice kbase article (unless we have some already)