1SSSD-SUDO(5) File Formats and Conventions SSSD-SUDO(5)
2
3
4
6 sssd-sudo - Configuring sudo with the SSSD back end
7
9 This manual page describes how to configure sudo(8) to work with
10 sssd(8) and how SSSD caches sudo rules.
11
13 To enable SSSD as a source for sudo rules, add sss to the sudoers entry
14 in nsswitch.conf(5).
15
16 For example, to configure sudo to first lookup rules in the standard
17 sudoers(5) file (which should contain rules that apply to local users)
18 and then in SSSD, the nsswitch.conf file should contain the following
19 line:
20
21 sudoers: files sss
22
23 More information about configuring the sudoers search order from the
24 nsswitch.conf file as well as information about the LDAP schema that is
25 used to store sudo rules in the directory can be found in
26 sudoers.ldap(5).
27
28 Note: in order to use netgroups or IPA hostgroups in sudo rules, you
29 also need to correctly set nisdomainname(1) to your NIS domain name
30 (which equals to IPA domain name when using hostgroups).
31
33 All configuration that is needed on SSSD side is to extend the list of
34 services with "sudo" in [sssd] section of sssd.conf(5). To speed up the
35 LDAP lookups, you can also set search base for sudo rules using
36 ldap_sudo_search_base option.
37
38 The following example shows how to configure SSSD to download sudo
39 rules from an LDAP server.
40
41 [sssd]
42 config_file_version = 2
43 services = nss, pam, sudo
44 domains = EXAMPLE
45
46 [domain/EXAMPLE]
47 id_provider = ldap
48 sudo_provider = ldap
49 ldap_uri = ldap://example.com
50 ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
51
52
53 It's important to note that on platforms where systemd is supported
54 there's no need to add the "sudo" provider to the list of services, as
55 it became optional. However, sssd-sudo.socket must be enabled instead.
56
57 When SSSD is configured to use IPA as the ID provider, the sudo
58 provider is automatically enabled. The sudo search base is configured
59 to use the IPA native LDAP tree (cn=sudo,$SUFFIX). If any other search
60 base is defined in sssd.conf, this value will be used instead. The
61 compat tree (ou=sudoers,$SUFFIX) is no longer required for IPA sudo
62 functionality.
63
65 The biggest challenge, when developing sudo support in SSSD, was to
66 ensure that running sudo with SSSD as the data source provides the same
67 user experience and is as fast as sudo but keeps providing the most
68 current set of rules as possible. To satisfy these requirements, SSSD
69 uses three kinds of updates. They are referred to as full refresh,
70 smart refresh and rules refresh.
71
72 The smart refresh periodically downloads rules that are new or were
73 modified after the last update. Its primary goal is to keep the
74 database growing by fetching only small increments that do not generate
75 large amounts of network traffic.
76
77 The full refresh simply deletes all sudo rules stored in the cache and
78 replaces them with all rules that are stored on the server. This is
79 used to keep the cache consistent by removing every rule which was
80 deleted from the server. However, full refresh may produce a lot of
81 traffic and thus it should be run only occasionally depending on the
82 size and stability of the sudo rules.
83
84 The rules refresh ensures that we do not grant the user more permission
85 than defined. It is triggered each time the user runs sudo. Rules
86 refresh will find all rules that apply to this user, check their
87 expiration time and redownload them if expired. In the case that any of
88 these rules are missing on the server, the SSSD will do an out of band
89 full refresh because more rules (that apply to other users) may have
90 been deleted.
91
92 If enabled, SSSD will store only rules that can be applied to this
93 machine. This means rules that contain one of the following values in
94 sudoHost attribute:
95
96 • keyword ALL
97
98 • wildcard
99
100 • netgroup (in the form "+netgroup")
101
102 • hostname or fully qualified domain name of this machine
103
104 • one of the IP addresses of this machine
105
106 • one of the IP addresses of the network (in the form "address/mask")
107
108 There are many configuration options that can be used to adjust the
109 behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5) and "sudo_*" in
110 sssd.conf(5).
111
113 SSSD uses different kinds of mechanisms with more or less complex LDAP
114 filters to keep the cached sudo rules up to date. The default
115 configuration is set to values that should satisfy most of our users,
116 but the following paragraps contains few tips on how to fine tune the
117 configuration to your requirements.
118
119 1. Index LDAP attributes. Make sure that following LDAP attributes are
120 indexed: objectClass, cn, entryUSN or modifyTimestamp.
121
122 2. Set ldap_sudo_search_base. Set the search base to the container
123 that holds the sudo rules to limit the scope of the lookup.
124
125 3. Set full and smart refresh interval. If your sudo rules do not
126 change often and you do not require quick update of cached rules on
127 your clients, you may consider increasing the
128 ldap_sudo_full_refresh_interval and ldap_sudo_smart_refresh_interval.
129 You may also consider disabling the smart refresh by setting
130 ldap_sudo_smart_refresh_interval = 0.
131
132 4. If you have large number of clients, you may consider increasing the
133 value of ldap_sudo_random_offset to distribute the load on the server
134 better.
135
137 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
138 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
139 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
140 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
141 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
142 sssd-systemtap(5)
143
145 The SSSD upstream - https://github.com/SSSD/sssd/
146
147
148
149SSSD 05/19/2021 SSSD-SUDO(5)