8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina<?xml version="1.0" encoding="UTF-8"?>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina<reference>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina<title>SSSD Manual pages</title>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina<refentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refmeta>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>sssd-sudo</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>5</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </refmeta>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refnamediv id='name'>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refname>sssd-sudo</refname>

04b0ea7402f3268d382143493f5f12aa0bfe1a2bJakub Hrozek <refpurpose>Configuring sudo with the SSSD back end</refpurpose>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </refnamediv>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refsect1 id='description'>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <title>DESCRIPTION</title>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina This manual page describes how to configure

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <citerefentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>sudo</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>8</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </citerefentry> to work with

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <citerefentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>sssd</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>8</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </citerefentry> and how SSSD caches sudo rules.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </refsect1>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refsect1 id='sudo'>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <title>Configuring sudo to cooperate with SSSD</title>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina To enable SSSD as a source for sudo rules, add

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <emphasis>sss</emphasis> to the <emphasis>sudoers</emphasis> entry

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina in

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <citerefentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>nsswitch.conf</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>5</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </citerefentry>.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina For example, to configure sudo to first lookup rules in the standard

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <citerefentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>sudoers</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>5</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </citerefentry> file (which should contain rules that apply to

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina local users) and then in SSSD, the nsswitch.conf file should contain

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina the following line:

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina<programlisting>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinasudoers: files sss

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina</programlisting>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina More information about configuring the sudoers search order from the

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina nsswitch.conf file as well as information about the LDAP schema that

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina is used to store sudo rules in the directory can be found in

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <citerefentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>sudoers.ldap</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>5</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </citerefentry>.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <para>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <emphasis>Note</emphasis>: in order to use netgroups or IPA

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina hostgroups in sudo rules, you also need to correctly set

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <citerefentry>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <refentrytitle>nisdomainname</refentrytitle>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <manvolnum>1</manvolnum>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina </citerefentry>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina to your NIS domain name (which equals to IPA domain name when

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina using hostgroups).

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </refsect1>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refsect1 id='sssd'>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <title>Configuring SSSD to fetch sudo rules</title>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <para>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina All configuration that is needed on SSSD side is to extend the list

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina of <emphasis>services</emphasis> with "sudo" in [sssd] section of

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <citerefentry>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <refentrytitle>sssd.conf</refentrytitle>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <manvolnum>5</manvolnum>

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina </citerefentry>. To speed up the LDAP lookups, you can also set

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina search base for sudo rules using

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina <emphasis>ldap_sudo_search_base</emphasis> option.

6835cbe127490f99b5b28ddf133924d905cf78fdPavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina The following example shows how to configure SSSD to download sudo

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina rules from an LDAP server.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina<programlisting>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina[sssd]

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinaconfig_file_version = 2

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinaservices = nss, pam, sudo

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinadomains = EXAMPLE

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina[domain/EXAMPLE]

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinaid_provider = ldap

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinasudo_provider = ldap

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinaldap_uri = ldap://example.com

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březinaldap_sudo_search_base = ou=sudoers,dc=example,dc=com

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina</programlisting>

9cd29d64f1c556fd222491a34229393b4462f126Fabiano Fidêncio <phrase condition="have_systemd">

9cd29d64f1c556fd222491a34229393b4462f126Fabiano Fidêncio It's important to note that on platforms where systemd is supported

9cd29d64f1c556fd222491a34229393b4462f126Fabiano Fidêncio there's no need to add the "sudo" provider to the list of services,

9cd29d64f1c556fd222491a34229393b4462f126Fabiano Fidêncio as it became optional. However, sssd-sudo.socket must be enabled

9cd29d64f1c556fd222491a34229393b4462f126Fabiano Fidêncio instead.

9cd29d64f1c556fd222491a34229393b4462f126Fabiano Fidêncio </phrase>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

72bab5640b3ec57950b53dad0fb3042ea563592cJustin Stephenson When SSSD is configured to use IPA as the ID provider, the

72bab5640b3ec57950b53dad0fb3042ea563592cJustin Stephenson sudo provider is automatically enabled. The sudo search base is

72bab5640b3ec57950b53dad0fb3042ea563592cJustin Stephenson configured to use the IPA native LDAP tree (cn=sudo,$SUFFIX).

72bab5640b3ec57950b53dad0fb3042ea563592cJustin Stephenson If any other search base is defined in sssd.conf, this value will be

72bab5640b3ec57950b53dad0fb3042ea563592cJustin Stephenson used instead. The compat tree (ou=sudoers,$SUFFIX) is no longer

72bab5640b3ec57950b53dad0fb3042ea563592cJustin Stephenson required for IPA sudo functionality.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </refsect1>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refsect1 id='cache'>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <title>The SUDO rule caching mechanism</title>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina The biggest challenge, when developing sudo support in SSSD, was to

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina ensure that running sudo with SSSD as the data source provides the

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina same user experience and is as fast as sudo but keeps providing

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina the most current set of rules as possible. To satisfy these

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina requirements, SSSD uses three kinds of updates. They are referred to

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina as full refresh, smart refresh and rules refresh.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina The <emphasis>smart refresh</emphasis> periodically downloads rules

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina that are new or were modified after the last update. Its primary

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina goal is to keep the database growing by fetching only small

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina increments that do not generate large amounts of network traffic.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina The <emphasis>full refresh</emphasis> simply deletes all sudo rules

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina stored in the cache and replaces them with all rules that are stored

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina on the server. This is used to keep the cache consistent by removing

c0d9babd59c81c12ca182ab3a72176d4fae494a4Yuri Chornoivan every rule which was deleted from the server. However, full refresh

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina may produce a lot of traffic and thus it should be run only

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina occasionally depending on the size and stability of the sudo rules.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina The <emphasis>rules refresh</emphasis> ensures that we do not grant

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina the user more permission than defined. It is triggered each time the

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina user runs sudo. Rules refresh will find all rules that apply to this

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina user, check their expiration time and redownload them if expired.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina In the case that any of these rules are missing on the server, the

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina SSSD will do an out of band full refresh because more rules

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina (that apply to other users) may have been deleted.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina If enabled, SSSD will store only rules that can be applied to this

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina machine. This means rules that contain one of the following values

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina in <emphasis>sudoHost</emphasis> attribute:

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <itemizedlist>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina keyword ALL

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

b24712874c686977465a551a3129133cec884584Pavel Březina wildcard

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina netgroup (in the form "+netgroup")

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina hostname or fully qualified domain name of this machine

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina one of the IP addresses of this machine

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina one of the IP addresses of the network

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina (in the form "address/mask")

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </listitem>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </itemizedlist>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina There are many configuration options that can be used to adjust

c0d9babd59c81c12ca182ab3a72176d4fae494a4Yuri Chornoivan the behavior. Please refer to "ldap_sudo_*" in

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <citerefentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>sssd-ldap</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>5</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </citerefentry> and "sudo_*" in

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <citerefentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <refentrytitle>sssd.conf</refentrytitle>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <manvolnum>5</manvolnum>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </citerefentry>.

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </para>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina </refsect1>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina</refentry>

8a2a49333b7df3a4b86db42cd20ec8286d2788d3Pavel Březina</reference>