1SSSD-SUDO(5) File Formats and Conventions SSSD-SUDO(5)
2
3
4
6 sssd-sudo - Configuring sudo with the SSSD back end
7
9 This manual page describes how to configure sudo(8) to work with
10 sssd(8) and how SSSD caches sudo rules.
11
13 To enable SSSD as a source for sudo rules, add sss to the sudoers entry
14 in nsswitch.conf(5).
15
16 For example, to configure sudo to first lookup rules in the standard
17 sudoers(5) file (which should contain rules that apply to local users)
18 and then in SSSD, the nsswitch.conf file should contain the following
19 line:
20
21 sudoers: files sss
22
23 More information about configuring the sudoers search order from the
24 nsswitch.conf file as well as information about the LDAP schema that is
25 used to store sudo rules in the directory can be found in
26 sudoers.ldap(5).
27
28 Note: in order to use netgroups or IPA hostgroups in sudo rules, you
29 also need to correctly set nisdomainname(1) to your NIS domain name
30 (which equals to IPA domain name when using hostgroups).
31
33 All configuration that is needed on SSSD side is to extend the list of
34 services with "sudo" in [sssd] section of sssd.conf(5). To speed up the
35 LDAP lookups, you can also set search base for sudo rules using
36 ldap_sudo_search_base option.
37
38 The following example shows how to configure SSSD to download sudo
39 rules from an LDAP server.
40
41 [sssd]
42 config_file_version = 2
43 services = nss, pam, sudo
44 domains = EXAMPLE
45
46 [domain/EXAMPLE]
47 id_provider = ldap
48 sudo_provider = ldap
49 ldap_uri = ldap://example.com
50 ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
51
52
53 It's important to note that on platforms where systemd is supported
54 there's no need to add the "sudo" provider to the list of services, as
55 it became optional. However, sssd-sudo.socket must be enabled instead.
56
57 When SSSD is configured to use IPA as the ID provider, the sudo
58 provider is automatically enabled. The sudo search base is configured
59 to use the IPA native LDAP tree (cn=sudo,$SUFFIX). If any other search
60 base is defined in sssd.conf, this value will be used instead. The
61 compat tree (ou=sudoers,$SUFFIX) is no longer required for IPA sudo
62 functionality.
63
65 The biggest challenge, when developing sudo support in SSSD, was to
66 ensure that running sudo with SSSD as the data source provides the same
67 user experience and is as fast as sudo but keeps providing the most
68 current set of rules as possible. To satisfy these requirements, SSSD
69 uses three kinds of updates. They are referred to as full refresh,
70 smart refresh and rules refresh.
71
72 The smart refresh periodically downloads rules that are new or were
73 modified after the last update. Its primary goal is to keep the
74 database growing by fetching only small increments that do not generate
75 large amounts of network traffic.
76
77 The full refresh simply deletes all sudo rules stored in the cache and
78 replaces them with all rules that are stored on the server. This is
79 used to keep the cache consistent by removing every rule which was
80 deleted from the server. However, full refresh may produce a lot of
81 traffic and thus it should be run only occasionally depending on the
82 size and stability of the sudo rules.
83
84 The rules refresh ensures that we do not grant the user more permission
85 than defined. It is triggered each time the user runs sudo. Rules
86 refresh will find all rules that apply to this user, check their
87 expiration time and redownload them if expired. In the case that any of
88 these rules are missing on the server, the SSSD will do an out of band
89 full refresh because more rules (that apply to other users) may have
90 been deleted.
91
92 If enabled, SSSD will store only rules that can be applied to this
93 machine. This means rules that contain one of the following values in
94 sudoHost attribute:
95
96 · keyword ALL
97
98 · wildcard
99
100 · netgroup (in the form "+netgroup")
101
102 · hostname or fully qualified domain name of this machine
103
104 · one of the IP addresses of this machine
105
106 · one of the IP addresses of the network (in the form "address/mask")
107
108 There are many configuration options that can be used to adjust the
109 behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5) and "sudo_*" in
110 sssd.conf(5).
111
113 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
114 sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sssd-session-recording(5),
115 sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8),
116 sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
117 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
118 sssd-systemtap(5)
119
121 The SSSD upstream - https://pagure.io/SSSD/sssd/
122
123
124
125SSSD 07/01/2019 SSSD-SUDO(5)