FreeIPA testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/etc/nslcd.conf | |
# Connect to IPA | |
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=test | |
bindpw XXXX | |
ssl start_tls | |
tls_cacertfile /etc/ipa/ca.crt | |
tls_checkpeer yes | |
bind_timelimit 5 | |
timelimit 15 | |
uri ldap://ipa-server.test | |
sudoers_base ou=sudoers,dc=test | |
/etc/sudo-ldap.conf | |
# Connect to IPA | |
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=test | |
bindpw XXXXXXX | |
ssl start_tls | |
tls_cacertfile /etc/ipa/ca.crt | |
tls_checkpeer yes | |
bind_timelimit 5 | |
timelimit 15 | |
uri ldap://ipa-server | |
sudoers_base ou=sudoers,dc=XX | |
/etc/sssd/sssd.conf | |
[domain/test] | |
cache_credentials = True | |
krb5_store_password_if_offline = True | |
ipa_domain = test | |
id_provider = ipa | |
auth_provider = ipa | |
access_provider = ipa | |
ldap_tls_cacert = /etc/ipa/ca.crt | |
ipa_hostname = ipa-client | |
chpass_provider = ipa | |
ipa_server = ipa-server.test | |
ldap_netgroup_search_base = cn=ipa-server,dc=test | |
# For the SUDO integration | |
sudo_provider = ldap | |
ldap_uri = ldap://ipa-server.test | |
ldap_sudo_search_base = ou=sudoers,dc=test | |
ldap_sasl_mech = GSSAPI | |
ldap_sasl_authid = host/ipa-client.test@REALM | |
ldap_sasl_realm = REALM | |
krb5_server = ipa-server.test | |
[sssd] | |
services = nss, pam, ssh, sudo | |
config_file_version = 2 | |
domains = test | |
[nss] | |
[pam] | |
[sudo] | |
debug_level = 0x3ff0 | |
[autofs] | |
[ssh] | |
[pac] | |
LDAP debug log: | |
[tester@ipa-client ~]$ sudo -l | |
LDAP Config Summary | |
=================== | |
uri ldap://ipa-server.test | |
ldap_version 3 | |
sudoers_base ou=sudoers,dc=test | |
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=test | |
bindpw XXXXXXXXXXX | |
bind_timelimit 5 | |
timelimit 15 | |
ssl start_tls | |
tls_checkpeer (yes) | |
tls_cacertfile /etc/ipa/ca.crt | |
=================== | |
sudo: ldap_set_option: debug -> 0 | |
sudo: ldap_set_option: tls_checkpeer -> 1 | |
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt | |
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt | |
sudo: ldap_initialize(ld, ldap://ipa-server.test) | |
sudo: ldap_set_option: ldap_version -> 3 | |
sudo: ldap_set_option: timelimit -> 15 | |
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) | |
sudo: ldap_start_tls_s() ok | |
sudo: ldap_sasl_bind_s() ok | |
sudo: Looking for cn=defaults: cn=defaults | |
sudo: no default options found in ou=sudoers,dc=test | |
sudo: ldap search '(|(sudoUser=tester)(sudoUser=%tester)(sudoUser=%#1085800001)(sudoUser=%admins)(sudoUser=%#1085800000)(sudoUser=ALL))' | |
sudo: searching from base 'ou=sudoers,dc=test' | |
sudo: adding search result | |
sudo: ldap sudoHost '+all' ... not | |
sudo: result now has 0 entries | |
sudo: ldap search '(sudoUser=+*)' | |
sudo: searching from base 'ou=sudoers,dc=test' | |
sudo: adding search result | |
sudo: result now has 0 entries | |
sudo: sorting remaining 0 entries | |
sudo: perform search for pwflag 52 | |
sudo: done with LDAP searches | |
sudo: user_matches=1 | |
sudo: host_matches=0 | |
sudo: sudo_ldap_lookup(52)=0x82 | |
[sudo] password for tester: | |
sudo: ldap search for command list | |
sudo: reusing previous result (user tester) with 0 entries | |
User tester is not allowed to run sudo on ipa-client | |
sudo: removing reusable search result | |
IPA client info: | |
[root@ipa-server ~]# ipa user-find tester --all | |
-------------- | |
1 user matched | |
-------------- | |
dn: uid=tester,cn=users,cn=accounts,dc=test | |
User login: tester | |
First name: Vaclav | |
Last name: Adamec | |
Full name: Vaclav Adamec | |
Display name: Vaclav Adamec | |
Initials: VA | |
Home directory: /home/tester | |
GECOS: Vaclav Adamec | |
Login shell: /bin/bash | |
Kerberos principal: tester@REALM | |
Email address: tester@test | |
UID: 1085800001 | |
GID: 1085800001 | |
Account disabled: False | |
SSH public key: ssh-rsa... | |
User authentication types: password | |
Password: True | |
Member of groups: trust admins, ipausers, admins | |
Member of netgroups: all_servers_all_admins, new_users_no_rights | |
Member of Sudo rule: Admins_can_do_anything | |
Member of HBAC rule: admins_to_all | |
Kerberos keys available: True | |
SSH public key fingerprint: .... | |
ipauniqueid: xxxx | |
krbextradata: xxxx | |
krblastfailedauth: 20141016095336Z | |
krblastpwdchange: 20141016094246Z | |
krblastsuccessfulauth: 20141016233254Z | |
krbloginfailedcount: 0 | |
krbpasswordexpiration: 20150114094246Z | |
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=test | |
objectclass: ipaSshGroupOfPubKeys, ipaobject, mepOriginEntry, person, top, ipasshuser, inetorgperson, organizationalperson, ipauserauthtypeclass, krbticketpolicyaux,krbprincipalaux, inetuser, posixaccount | |
[root@ipa-server ~]# ldapsearch -x -h localhost -p 389 -b ou=sudoers,dc=test | |
# sudoers, test | |
dn: ou=sudoers,dc=test | |
objectClass: extensibleObject | |
ou: sudoers | |
# Admins_can_do_anything, sudoers, test | |
dn: cn=Admins_can_do_anything,ou=sudoers,dc=test | |
sudoUser: %admins | |
sudoUser: tester | |
sudoHost: +all | |
objectClass: sudoRole | |
objectClass: top | |
sudoCommand: /usr/bin/whoami | |
cn: Admins_can_do_anything | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment