From Fedora Project Wiki
Description
SUDO testing.
Setup
- Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
- Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
- Configure NIS on the server (see QA:Testcase_freeipav2_nis)
- This requires a separate client machine from the IPA server machine (see QA:Testcase_freeipav2_client_enrollment)
How to test
Configuring the server
- Setup the hostgroup
- a. Add a hostgroup:
# ipa hostgroup-add hostgroup-name
- b. Add the client host to the hostgroup:
# ipa hostgroup-add-member --hosts=host.example.com hostgroup-name
- Setup the user
- a. Add a new user:
# ipa user-add username
- b. Set the temp password:
# ipa user-mod --password username
- c. Reset with the permanent password:
# kinit username
- d. Add a group:
# ipa group-add group-name
- e. Add the new user to the group:
# ipa group-add-member --users=username group-name
- Setup a BIND user
- a. Create the bind user:
# ipa user-add bindusername
- b. Set the temp password:
# ipa user-mod --password bindusername
- c. Reset with the permanent password:
# kinit bindusername
- Setup Sudo Commands
- a. Add a sudo command:
# ipa sudocmd-add --desc='For reading log files' '/usr/bin/less'
- b. Add a sudo command group:
# ipa sudocmdgroup-add --desc='Read Only Commands' readonly
- c. Add the commanad to the group:
# ipa sudocmdgroup-add-member --sudocmds='/usr/bin/less' readonly
- Setup Sudo Rule
- a. Add a sudo rule:
# ipa sudorule-add sudorule-name
- b. Add the allow commands:
# ipa sudorule-add-allow-command --sudocmdgroups=readonly sudorule-name
- c. Add the hosts:
# ipa sudorule-add-host --hostgroups=hostgroup-name sudorule-name
- d. Add the users:
# ipa sudorule-add-user --groups=group-name sudorule-name
Configure Client for SUDO
- Configure SUDO to look to LDAP for SUDOers
- a. Add the following lines to /etc/nsswitch.conf:
sudoers: ldap
- Configure SSSD to look for NIS Netgroups
- a. Add the following beneath the "ipa_server" entry in /etc/sssd/sssd.conf:
ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
- b. Restart the SSSD Daemon for changes to take effect:
# service sssd restart
- Edit the LDAP Configuration file for SUDO:
- a. Add the following to /etc/nss_ldap.conf:
sudoers_base ou=SUDOers,dc=example,dc=com
binddn uid=binduser,cn=users,cn=accounts,dc=example,dc=com
bindpw bind_password
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://ipa.example.com
- b. To support compatibility create a symlink for the legacy configuration:
# ln -s /etc/nss_ldap.conf /etc/ldap.conf
- Setup NIS Domain
- Sudo still utilizes NIS Netgroups. To support the client side identification of NIS Netgroup Domains you must define your NIS Domain Name. This is done via the command:
# nisdomainname example.com
- There is a bug file with Fedora to address this config requirement at boot time.
/etc/rc.local:
nisdomainname example.com
Test SUDO on the client
- Execute the allowed command - observe success.
- Execute a new command that is not mentioned and thus not allowed.
- Add a new command to the group of the commands that are referenced as allowed commands from the SUDO rule you have created on step 2.
- Try this command again and see that it is now allowed.
Expected Results
All the test steps should end with the specified results.