From Fedora Project Wiki

Description

SUDO testing.

Setup

  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
  2. Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
  3. Configure NIS on the server (see QA:Testcase_freeipav2_nis)
  4. This requires a separate client machine from the IPA server machine (see QA:Testcase_freeipav2_client_enrollment)

How to test

Configuring the server

  • Setup the hostgroup
a. Add a hostgroup:
# ipa hostgroup-add hostgroup-name
b. Add the client host to the hostgroup:
# ipa hostgroup-add-member --hosts=host.example.com hostgroup-name
  • Setup the user
a. Add a new user:
# ipa user-add username
b. Set the temp password:
# ipa user-mod --password username
c. Reset with the permanent password:
# kinit username
d. Add a group:
# ipa group-add group-name
e. Add the new user to the group:
# ipa group-add-member --users=username group-name
  • Setup a BIND user
a. Create the bind user:
# ipa user-add bindusername
b. Set the temp password:
# ipa user-mod --password bindusername
c. Reset with the permanent password:
# kinit bindusername
  • Setup Sudo Commands
a. Add a sudo command:
# ipa sudocmd-add --desc='For reading log files' '/usr/bin/less'
b. Add a sudo command group:
# ipa sudocmdgroup-add --desc='Read Only Commands' readonly
c. Add the commanad to the group:
# ipa sudocmdgroup-add-member --sudocmds='/usr/bin/less' readonly
  • Setup Sudo Rule
a. Add a sudo rule:
# ipa sudorule-add sudorule-name
b. Add the allow commands:
# ipa sudorule-add-allow-command --sudocmdgroups=readonly sudorule-name
c. Add the hosts:
# ipa sudorule-add-host --hostgroups=hostgroup-name sudorule-name
d. Add the users:
# ipa sudorule-add-user --groups=group-name sudorule-name        

Configure Client for SUDO

  • Configure SUDO to look to LDAP for SUDOers
a. Add the following lines to /etc/nsswitch.conf:
           sudoers:    ldap
  • Configure SSSD to look for NIS Netgroups
a. Add the following beneath the "ipa_server" entry in /etc/sssd/sssd.conf:
           ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
b. Restart the SSSD Daemon for changes to take effect:
# service sssd restart
  • Edit the LDAP Configuration file for SUDO:
a. Add the following to /etc/nss_ldap.conf:
           sudoers_base ou=SUDOers,dc=example,dc=com
           binddn uid=binduser,cn=users,cn=accounts,dc=example,dc=com
           bindpw bind_password
           ssl start_tls
           tls_cacertfile /etc/ipa/ca.crt
           tls_checkpeer yes
           bind_timelimit 5                                                                                                                      
           timelimit 15                                                                                                   
           uri ldap://ipa.example.com
b. To support compatibility create a symlink for the legacy configuration:
# ln -s /etc/nss_ldap.conf /etc/ldap.conf
  • Setup NIS Domain
Sudo still utilizes NIS Netgroups. To support the client side identification of NIS Netgroup Domains you must define your NIS Domain Name. This is done via the command:
# nisdomainname example.com
There is a bug file with Fedora to address this config requirement at boot time.
       /etc/rc.local:
           nisdomainname example.com

Test SUDO on the client

  • Execute the allowed command - observe success.
  • Execute a new command that is not mentioned and thus not allowed.
  • Add a new command to the group of the commands that are referenced as allowed commands from the SUDO rule you have created on step 2.
  • Try this command again and see that it is now allowed.

Expected Results

All the test steps should end with the specified results.