From Fedora Project Wiki

Revision as of 14:48, 12 September 2012 by Jcholast (talk | contribs)


Offline access to sudo rules.


  • Make sure you have sudo 1.8.6 rc3 or later installed (Koji build).
  • Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
  • Install FreeIPA server with DNS on one machine,, and FreeIPA client on another machine, (see Basic installation tests).

How to test

Configure SSSD

On, you have to make some changes to /etc/sssd/sssd.conf.

Make sure the sudo service is enabled in the [sssd] section:

services = nss, pam, ssh, sudo

In the FreeIPA domain section, you have to make the following changes (see man sssd-sudo for more information):

sudo_provider = ldap
ldap_uri = ldap://
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/
ldap_sasl_realm = IPA.EXAMPLE.COM
krb5_server =

Configure sudo to use SSSD as a sudoers source in /etc/nsswitch.conf:

sudoers: files sss

Finally, restart SSSD:

root@client# service sssd restart

Sudo testing


Expected Results

All the test steps should end with the specified results.