Skip to content

Instantly share code, notes, and snippets.

@VAdamec
Created October 17, 2014 00:19
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save VAdamec/58880b3bb476a0b826e6 to your computer and use it in GitHub Desktop.
FreeIPA testing
/etc/nslcd.conf
# Connect to IPA
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=test
bindpw XXXX
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://ipa-server.test
sudoers_base ou=sudoers,dc=test
/etc/sudo-ldap.conf
# Connect to IPA
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=test
bindpw XXXXXXX
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://ipa-server
sudoers_base ou=sudoers,dc=XX
/etc/sssd/sssd.conf
[domain/test]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = ipa-client
chpass_provider = ipa
ipa_server = ipa-server.test
ldap_netgroup_search_base = cn=ipa-server,dc=test
# For the SUDO integration
sudo_provider = ldap
ldap_uri = ldap://ipa-server.test
ldap_sudo_search_base = ou=sudoers,dc=test
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/ipa-client.test@REALM
ldap_sasl_realm = REALM
krb5_server = ipa-server.test
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = test
[nss]
[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
LDAP debug log:
[tester@ipa-client ~]$ sudo -l
LDAP Config Summary
===================
uri ldap://ipa-server.test
ldap_version 3
sudoers_base ou=sudoers,dc=test
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=test
bindpw XXXXXXXXXXX
bind_timelimit 5
timelimit 15
ssl start_tls
tls_checkpeer (yes)
tls_cacertfile /etc/ipa/ca.crt
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 1
sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt
sudo: ldap_set_option: tls_cacert -> /etc/ipa/ca.crt
sudo: ldap_initialize(ld, ldap://ipa-server.test)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 15
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in ou=sudoers,dc=test
sudo: ldap search '(|(sudoUser=tester)(sudoUser=%tester)(sudoUser=%#1085800001)(sudoUser=%admins)(sudoUser=%#1085800000)(sudoUser=ALL))'
sudo: searching from base 'ou=sudoers,dc=test'
sudo: adding search result
sudo: ldap sudoHost '+all' ... not
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=sudoers,dc=test'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x82
[sudo] password for tester:
sudo: ldap search for command list
sudo: reusing previous result (user tester) with 0 entries
User tester is not allowed to run sudo on ipa-client
sudo: removing reusable search result
IPA client info:
[root@ipa-server ~]# ipa user-find tester --all
--------------
1 user matched
--------------
dn: uid=tester,cn=users,cn=accounts,dc=test
User login: tester
First name: Vaclav
Last name: Adamec
Full name: Vaclav Adamec
Display name: Vaclav Adamec
Initials: VA
Home directory: /home/tester
GECOS: Vaclav Adamec
Login shell: /bin/bash
Kerberos principal: tester@REALM
Email address: tester@test
UID: 1085800001
GID: 1085800001
Account disabled: False
SSH public key: ssh-rsa...
User authentication types: password
Password: True
Member of groups: trust admins, ipausers, admins
Member of netgroups: all_servers_all_admins, new_users_no_rights
Member of Sudo rule: Admins_can_do_anything
Member of HBAC rule: admins_to_all
Kerberos keys available: True
SSH public key fingerprint: ....
ipauniqueid: xxxx
krbextradata: xxxx
krblastfailedauth: 20141016095336Z
krblastpwdchange: 20141016094246Z
krblastsuccessfulauth: 20141016233254Z
krbloginfailedcount: 0
krbpasswordexpiration: 20150114094246Z
mepmanagedentry: cn=tester,cn=groups,cn=accounts,dc=test
objectclass: ipaSshGroupOfPubKeys, ipaobject, mepOriginEntry, person, top, ipasshuser, inetorgperson, organizationalperson, ipauserauthtypeclass, krbticketpolicyaux,krbprincipalaux, inetuser, posixaccount
[root@ipa-server ~]# ldapsearch -x -h localhost -p 389 -b ou=sudoers,dc=test
# sudoers, test
dn: ou=sudoers,dc=test
objectClass: extensibleObject
ou: sudoers
# Admins_can_do_anything, sudoers, test
dn: cn=Admins_can_do_anything,ou=sudoers,dc=test
sudoUser: %admins
sudoUser: tester
sudoHost: +all
objectClass: sudoRole
objectClass: top
sudoCommand: /usr/bin/whoami
cn: Admins_can_do_anything
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment