QA:Testcase freeipav2 sudo

{{QA/Test_Case
 * description=SUDO testing.
 * setup=
 * 1) Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
 * 2) Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
 * 3) Configure NIS on the server (see QA:Testcase_freeipav2_nis)
 * 4) This requires a separate client machine from the IPA server machine (see QA:Testcase_freeipav2_client_enrollment)


 * actions=

Configuring the server

 * Setup the hostgroup
 * a. Add a hostgroup:


 * 1) ipa hostgroup-add hostgroup-name
 * b. Add the client host to the hostgroup:


 * 1) ipa hostgroup-add-member --hosts=host.example.com hostgroup-name
 * Setup the user
 * a. Add a new user:


 * 1) ipa user-add username
 * b. Set the temp password:


 * 1) ipa user-mod --password username
 * c. Reset with the permanent password:


 * 1) kinit username
 * d. Add a group:


 * 1) ipa group-add group-name
 * e. Add the new user to the group:


 * 1) ipa group-add-member --users=username group-name


 * Setup a BIND user
 * a. Create the bind user:


 * 1) ipa user-add bindusername
 * b. Set the temp password:


 * 1) ipa user-mod --password bindusername
 * c. Reset with the permanent password:


 * 1) kinit bindusername


 * Setup Sudo Commands
 * a. Add a sudo command:


 * 1) ipa sudocmd-add --desc='For reading log files' '/usr/bin/less'
 * b. Add a sudo command group:


 * 1) ipa sudocmdgroup-add --desc='Read Only Commands' readonly
 * c. Add the commanad to the group:


 * 1) ipa sudocmdgroup-add-member --sudocmds='/usr/bin/less' readonly


 * Setup Sudo Rule
 * a. Add a sudo rule:


 * 1) ipa sudorule-add sudorule-name
 * b. Add the allow commands:


 * 1) ipa sudorule-add-allow-command --sudocmdgroups=readonly sudorule-name
 * c. Add the hosts:


 * 1) ipa sudorule-add-host --hostgroups=hostgroup-name sudorule-name
 * d. Add the users:


 * 1) ipa sudorule-add-user --groups=group-name sudorule-name

Configure Client for SUDO

 * Configure SUDO to look to LDAP for SUDOers
 * a. Add the following lines to /etc/nsswitch.conf:

sudoers:   ldap


 * Configure SSSD to look for NIS Netgroups
 * a. Add the following beneath the "ipa_server" entry in /etc/sssd/sssd.conf:

ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com


 * b. Restart the SSSD Daemon for changes to take effect:


 * 1) service sssd restart


 * Edit the LDAP Configuration file for SUDO:
 * a. Add the following to /etc/nss_ldap.conf:

sudoers_base ou=SUDOers,dc=example,dc=com binddn uid=binduser,cn=users,cn=accounts,dc=example,dc=com bindpw bind_password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipa.example.com


 * b. To support compatibility create a symlink for the legacy configuration:


 * 1) ln -s /etc/nss_ldap.conf /etc/ldap.conf


 * Setup NIS Domain
 * Sudo still utilizes NIS Netgroups. To support the client side identification of NIS Netgroup Domains you must define your NIS Domain Name. This is done via the command:


 * 1) nisdomainname example.com


 * There is a bug file with Fedora to address this config requirement at boot time.

/etc/rc.local: nisdomainname example.com

Test SUDO on the client

 * Execute the allowed command - observe success.
 * Execute a new command that is not mentioned and thus not allowed.
 * Add a new command to the group of the commands that are referenced as allowed commands from the SUDO rule you have created on step 2.
 * Try this command again and see that it is now allowed.

All the test steps should end with the specified results. }}
 * results=