• 1
Well done. When I was testing the SUDO WebUI for FreeIPA, I realized just how painful it was to deal with the client side configuration. SSSD was the path forward then, and I am glad to see we've arrived!

Thank you. The support for the FreeIPA native schema is not implemented yet, though. We chose to support the more generic LDAP schema, which is exposed using the compat plugin on a FreeIPA server first, and add the native FreeIPA schema in upstream SSSD 1.10.

My IPA server has the compat plugin enabled, but I cannot get sudo to work via sssd (sssd-1.8.3-11.fc17). Seems to work fine via ldap, but I am at a loss as to how to conifgure it to work with sssd. Any ideas?

Do you have any bind user enabled for accessing the rules? One of the reasons sssd might not work is that the current version only uses unauthenticated binds to the IPA server, while IPA protects the sudo rules with ACIs even in the compat tree by default.

So to access the rules on the IPA, you'd have to either set sssd to use password bind mounts or change the ACIs for the compat tree.

Native IPA support is on the roadmap for 1.10.

i have same problem, but im using centos6 and rhel6, where i can got sudo rpm with sss backend enabled.

It's going to be part of RHEL6.4.

Alternatively, for testing purposes, you can rebuild the sudo and sssd packages from F-18.

I just followed your guide, and it... just works !
Thanks for the nice step by step explanation.

PS My server is openldap 2.4 (a fedora 15 minimalist installation).

sssd + sudo + ad provide

Hello, work very well with sssd+ad provider, but sudo very slow working when running first time(running again - 1-2sec),
user1@host$ sudo su - ( slow ~ 8-15 sec).

user1 member of many groups (~300) in Active Directory.

debug_level= 6
In /var/log/sssd/sssd_nss.log more requesting to domain,when run sudo.

  • 1

Log in