Description of problem:
The RHEL6 Identity Management Guide, chapter 20.4.2 , "Applying the Configured sudo Policies to Hosts Using SSSD" provides instructions on how to configure sudo to use SSSD. However, these instructions do not work unless the following parameters are set inside the [domain/example.com] of sssd.conf:
sudo_provider = ldap
ldap_sasl_mech = GSSAPI
Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6.5
Identity Management Guide
Managing Identity and Authorization Policies for Linux-Based Infrastructures
Steps to Reproduce:
1. Follow documentation at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/config-sudo-clients.html#example-configuring-sudo-sssd
2. Try to sudo
Sudo rules are not retrieved from ipa server
Error should not occur, and if sudo is properly configured, access should be granted.
According to sssd-ldap manpage:
- sudo_provider default value is based on id_provider and we set that to ipa, while it needs to be ldap because ipa sudo provider is not yet working on current versions of sssd.
- ldap_sasl_mech default value is "not set" but we only support GSSAPI
Maybe is also a good idea to mention that there are some other parameters which default values could not match your environment and could require adjustments:
ldap_uri = ldap://ipa-server.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_authid = host/ipa-client.example.com
ldap_sasl_realm = EXAMPLE.COM
krb5_server = ipa-server.example.com
Check man sssd-ldap to check for the default options.
I spoke with Jakub (cc'd) and he confirmed that in RHEL 6.6, the mentioned configuration will be added automatically if missing, which fixes this problem.
Therefore, there is no actual impact on documentation.
In the meantime, this issue might be a nice kbase article (unless we have some already)