Scribd Logo
Importer

Bienvenue sur Scribd !

  • Freeipa30 SSSD SUDO Integration

    Transféré par

    damir_krstanovic
    95 vues19 pages
    FreeIPA sssd sudo integration

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    FreeIPA sssd sudo integration

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    95 vues19 pages

    Freeipa30 SSSD SUDO Integration

    Transféré par

    damir_krstanovic
    FreeIPA sssd sudo integration

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 19

    FreeIPA Training Series

    FreeIPA Training Series



    SSSD and SUDO integration
    SSSD and SUDO integration
    Pavel Bezina
    Pavel Bezina
    12-20-2012 12-20-2012
    FreeIPA Training Series
    Introduction to SUDO

    SUDO is a utility that allows a user to run a


    progra as a di!!erent user "typically as root#

    Typical usage is to grant user the privilege to run a


    progra with root perissions without the
    $nowledge o! root%s password

    &ho can run what on 'ehal! o! who is speci!ied


    'y rules
    FreeIPA Training Series
    SUDO rules sources

    (ules can 'e stored in !ile ")etc)sudoers# or in


    *DAP

    SUDO will loo$ up rules in sources speci!ied in


    )etc)nsswitch+con!, the data'ase is called sudoers

    )etc)sudoers is used ainly !or local users

    *DAP is used !or centralized identity anageent


    FreeIPA Training Series
    -otivation

    &e use FreeIPA or other *DAP.'ased identity anageent


    solution

    &e want to distri'ute SUDO rules across all achines in the


    doain / we will use *DAP as a source !or SUDO rules

    0verything wor$s !ine+++ until the *DAP or networ$ goes down


    FreeIPA Training Series
    -otivation

    Because we can%t access the *DAP server, we can%t use SUDO

    Because we can%t use SUDO we need to get the guy who


    $nows root password to run networ$ diagnostic tools+++

    +++or we can use SSSD as a iddlean 'etween *DAP and


    SUDO

    SSSD will cache the rules and a$e SUDO wor$ when o!!line
    FreeIPA Training Series
    *DAP schea !or SUDO rules

    sudoUser

    &hich user does this rule apply to

    sudo1ost

    &hich achine does this rule apply to

    sudo2oand

    &hich coand is the user allowed to run

    sudo3otBe!ore, sudo3otA!ter

    De!ines the tie span during which the rule is applied

    For ore attri'utes please see an sudoers+ldap


    FreeIPA Training Series
    SUDO rules e4aples
    5 this is a special rule that contains de!ault options that are inherited 'y all rules
    dn6 cn7de!aults,ou7sudorules,dc7e4aple,dc7co
    o'8ect2lass6 sudo(ole
    cn6 de!aults
    sudoOption6 9re:uiretty
    5 allow to run all coand on p'rezina+e4aple+co 'y p'rezina
    dn6 cn7p'rezina.allow.all,ou7sudorules,dc7e4aple,dc7co
    o'8ect2lass6 sudo(ole
    cn6 p'rezina.allow.all
    sudo1ost6 p'rezina+e4aple+co
    sudoUser6 p'rezina
    sudo2oand6 A**
    5 sudo1ost is andatory attri'ute !or all rules that are not cn7de!aults
    FreeIPA Training Series
    SUDO rules in FreeIPA

    FreeIPA supports serving SUDO rules

    Traditional schea has liitations

    For 'etter anagea'ility FreeIPA uses a custo schea

    For copati'ility with clients FreeIPA translates custo


    schea via a special copat tree

    ou7sudoers,dc7e4aple,dc7co

    3ot reada'le using anonyous 'ind

    SSSD does not support FreeIPA schea yet, only the


    standard schea e4posed via copat tree
    FreeIPA Training Series
    2on!iguring SUDO to wor$ with SSSD

    ;ou need to con!igure SUDO to use <sss= source


    !or sudoers data'ase in )etc)nsswitch+con!

    That%s it9

    For e4aple6
    sudoers6 sss

    This will !orce SUDO to use SSSD as its only data


    source
    sudoers6 !iles sss

    SUDO will use 'oth )etc)sudoers and SSSD


    FreeIPA Training Series
    2on!iguring SSSD to cache SUDO rules

    Add <sudo= to the <services= option in the >sssd?


    section o! )etc)sssd)sssd+con!

    &hen using *DAP as 'ac$end

    That%s it9

    &hen using FreeIPA as 'ac$end

    SSSD doesn%t support FreeIPA as SUDO provider yet

    ;ou need to use FreeIPA provider !or identity and


    *DAP provider !or SUDO

    ;ou need to use authenticated channel to access


    SUDO rules on FreeIPA *DAP
    FreeIPA Training Series
    04aple con!iguration . SSSD with *DAP
    >sssd?
    con!ig@!ile@version 7 A
    services 7 nss, pa, sudo
    doains 7 0BA-P*0
    >doain)0BA-P*0?
    id@provider 7 ldap
    ldap@uri 7 ldap6))e4aple+co
    FreeIPA Training Series
    04aple con!iguration . SSSD with FreeIPA
    server
    >sssd?
    con!ig@!ile@version 7 A
    services 7 nss, pa, sudo
    doains 7 0BA-P*0
    >doain)0BA-P*0?
    5 standard FreeIPA con!iguration
    id@provider 7 ipa
    ipa@doain 7 e4aple+co
    ipa@server 7 ipa+e4aple+co
    ldap@tls@cacert 7 )etc)ipa)ca+crt
    # configure SUDO and GSSAPI authentication
    sudo@provider 7 ldap
    ldap@uri 7 ldap6))ipa+e4aple+co
    ldap@sudo@search@'ase 7 ou7sudoers,dc7e4aple,dc7co
    ldap@sasl@ech 7 CSSAPI
    ldap@sasl@authid 7 host)hostnae+e4aple+co
    ldap@sasl@real 7 0BA-P*0+2O-
    $r'D@server 7 ipa+e4aple+co
    FreeIPA Training Series
    1ow SSSD caches rules

    Eeeping cached rules consistent with *DAP is


    critical

    SSSD per!ors three types o! updates6

    Full re!resh

    Sart re!resh

    (ules re!resh

    SSSD stores all rules that apply to the achine


    FreeIPA Training Series
    Full re!resh

    (eplace all cached rules with those currently


    availa'le in *DAP server

    It is used to delete rules that are no longer present


    in the *DAP server

    Full re!resh ay 'e6

    Periodical / once in several hours

    Out o! 'and / on deand o! rules re!resh


    FreeIPA Training Series
    Sart re!resh

    Sart re!resh ais to $eep the cache growing

    It periodically stores rules that are new or odi!ied


    in the *DAP server

    It will never delete any rule !ro the cache

    As a conse:uence, it will not detect change in


    sudo1ost attri'ute such that the rule does no longer
    apply to the achine
    FreeIPA Training Series
    (ules re!resh

    &hen user runs SUDO, SSSD tries to re!resh all


    rules that are e4pired and applies to this user

    Its purpose it to delete rules that are no longer


    present in the *DAP server so SSSD will not grant
    ore perission that de!ined

    I! any rule is deleted !ro the cache

    SSSD will per!or out o! 'and !ull re!resh

    Because ore rules that are not yet e4pired ay


    have 'een deleted
    FreeIPA Training Series
    2aching echaniss suary
    Full refresh Smart refresh Rules refresh
    When default! every F hours
    or when a rule is
    deleted !ro the
    cache
    every GD inutes when user runs
    SUDO, rules e4pire
    a!ter HI inutes
    Wh" $eep the cache
    consistent
    store new rules do not grant user
    ore privilege
    O#erations insert, delete insert, odi!y odi!y, delete
    $%#ected traffic large sall sall
    &onfiguration
    o#tion
    ldap@sudo@!ull@
    re!resh@interval
    ldap@sudo@sart@
    re!resh@interval
    entry@cache@sudo@
    tieout
    FreeIPA Training Series
    O'taining de'ugging in!oration

    0na'le SUDO log

    In )etc)sudo+con!6

    De'ug sudo )var)log)sudo@de'ug allJde'ug

    Increase SSSD de'ug level

    In )etc)sssd)sssd+con! in each section ">sssd?,


    >sudo?, +++#

    de'ug@level 7 level

    I4K!!I is very ver'ose level that will usually give us


    enough in!oration
    FreeIPA Training Series
    Additional in!oration

    SSSD anual pages

    sssd+con!

    sssd.ldap

    sssd.sudo

    SUDO anual pages

    sudoers

    sudoers+ldap

    Vous aimerez peut-être aussi