Bug 1123442 - Applying the Configured sudo Policies to Hosts Using SSSD section do not mention sudo_provider nor ldap_sasl_mech
Summary: Applying the Configured sudo Policies to Hosts Using SSSD section do not ment...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide
Version: 6.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Tomas Capek
QA Contact: ecs-bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-25 16:10 UTC by Javier Ramirez
Modified: 2014-08-01 10:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-31 17:01:49 UTC

Attachments (Terms of Use)

Description Javier Ramirez 2014-07-25 16:10:47 UTC
Description of problem:

The RHEL6 Identity Management Guide, chapter 20.4.2 , "Applying the Configured sudo Policies to Hosts Using SSSD" provides instructions on how to configure sudo to use SSSD.  However, these instructions do not work unless the following parameters are set inside the [domain/example.com] of sssd.conf:

sudo_provider = ldap
ldap_sasl_mech = GSSAPI

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6.5
Identity Management Guide
Managing Identity and Authorization Policies for Linux-Based Infrastructures
Edition 3.0.0

How reproducible:

Steps to Reproduce:
1. Follow documentation at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/config-sudo-clients.html#example-configuring-sudo-sssd
2. Try to sudo

Actual results:
Sudo rules are not retrieved from ipa server

Expected results:
Error should not occur, and if sudo is properly configured, access should be granted.

Additional info:
According to sssd-ldap manpage:
- sudo_provider default value is based on id_provider and we set that to ipa, while it needs to be ldap because ipa sudo provider is not yet working on current versions of sssd.
- ldap_sasl_mech default value is "not set" but we only support GSSAPI

Comment 2 Javier Ramirez 2014-07-28 07:07:22 UTC
Maybe is also a good idea to mention that there are some other parameters which default values could not match your environment and could require adjustments:

ldap_uri = ldap://ipa-server.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_authid = host/ipa-client.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa-server.example.com

Check man sssd-ldap to check for the default options.

Comment 3 Tomas Capek 2014-07-31 17:01:49 UTC
I spoke with Jakub (cc'd) and he confirmed that in RHEL 6.6, the mentioned configuration will be added automatically if missing, which fixes this problem.

Therefore, there is no actual impact on documentation.

Comment 4 Jakub Hrozek 2014-08-01 09:14:38 UTC
In the meantime, this issue might be a nice kbase article (unless we have some already)

Note You need to log in before you can comment on or make changes to this bug.