summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2012-07-23 15:46:31 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-07-30 19:07:23 +0200
commit8a2a49333b7df3a4b86db42cd20ec8286d2788d3 (patch)
tree082f6ad3ee3dd156d74c41608348e4fffd8d01ca
parent300c772767c1b12077cac1d148ac89738b058f97 (diff)
downloadsssd-8a2a49333b7df3a4b86db42cd20ec8286d2788d3.tar.gz
sssd-8a2a49333b7df3a4b86db42cd20ec8286d2788d3.tar.bz2
sssd-8a2a49333b7df3a4b86db42cd20ec8286d2788d3.zip
manpage: sssd-sudo - documents how sudo works with sssd
https://fedorahosted.org/sssd/ticket/1418
-rw-r--r--contrib/sssd.spec.in1
-rw-r--r--src/man/Makefile.am4
-rw-r--r--src/man/include/seealso.xml6
-rw-r--r--src/man/po/po4a.cfg1
-rw-r--r--src/man/sssd-sudo.5.xml210
5 files changed, 222 insertions, 0 deletions
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index efabc860..b444b86d 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -369,6 +369,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/sssd-krb5.5*
%{_mandir}/man5/sssd-ldap.5*
%{_mandir}/man5/sssd-simple.5*
+%{_mandir}/man5/sssd-sudo.5*
%{_mandir}/man8/sssd.8*
%if (0%{?enable_experimental} == 1)
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index ca1a2261..4ed76c8a 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -48,6 +48,10 @@ if BUILD_SSH
man_MANS += sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1
endif
+if BUILD_SUDO
+man_MANS += sssd-sudo.5
+endif
+
SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
.1.xml.1:
$(XMLLINT) $(XMLLINT_FLAGS) $<
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
index 6fa7359f..80c228e3 100644
--- a/src/man/include/seealso.xml
+++ b/src/man/include/seealso.xml
@@ -22,6 +22,12 @@
<citerefentry>
<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
+ <phrase condition="with_sudo">
+ <citerefentry>
+ <refentrytitle>sssd-sudo</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>,
+ </phrase>
<citerefentry>
<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
index cc84578e..1f05c7a4 100644
--- a/src/man/po/po4a.cfg
+++ b/src/man/po/po4a.cfg
@@ -8,6 +8,7 @@
[type:docbook] sssd-simple.5.xml $lang:$(builddir)/$lang/sssd-simple.5.xml
[type:docbook] sssd-ipa.5.xml $lang:$(builddir)/$lang/sssd-ipa.5.xml
[type:docbook] sssd-ad.5.xml $lang:$(builddir)/$lang/sssd-ad.5.xml
+[type:docbook] sssd-sudo.5.xml $lang:$(builddir)/$lang/sssd-sudo.5.xml
[type:docbook] sssd.8.xml $lang:$(builddir)/$lang/sssd.8.xml
[type:docbook] sss_obfuscate.8.xml $lang:$(builddir)/$lang/sss_obfuscate.8.xml
[type:docbook] sss_useradd.8.xml $lang:$(builddir)/$lang/sss_useradd.8.xml
diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml
new file mode 100644
index 00000000..c5fa2cc4
--- /dev/null
+++ b/src/man/sssd-sudo.5.xml
@@ -0,0 +1,210 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd-sudo</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd-sudo</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ This manual page describes how to configure
+ <citerefentry>
+ <refentrytitle>sudo</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry> to work with
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry> and how SSSD caches sudo rules.
+ </para>
+ </refsect1>
+
+ <refsect1 id='sudo'>
+ <title>Configuring sudo to cooperate with SSSD</title>
+ <para>
+ To enable SSSD as a source for sudo rules, add
+ <emphasis>sss</emphasis> to the <emphasis>sudoers</emphasis> entry
+ in
+ <citerefentry>
+ <refentrytitle>nsswitch.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>.
+ </para>
+ <para>
+ For example, to configure sudo to first lookup rules in the standard
+ <citerefentry>
+ <refentrytitle>sudoers</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> file (which should contain rules that apply to
+ local users) and then in SSSD, the nsswitch.conf file should contain
+ the following line:
+ </para>
+ <para>
+<programlisting>
+sudoers: files sss
+</programlisting>
+ </para>
+ <para>
+ More information about configuring the sudoers search order from the
+ nsswitch.conf file as well as information about the LDAP schema that
+ is used to store sudo rules in the directory can be found in
+ <citerefentry>
+ <refentrytitle>sudoers.ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+
+ <refsect1 id='sssd'>
+ <title>Configuring SSSD to fetch sudo rules</title>
+ <para>
+ The following example shows how to configure SSSD to download sudo
+ rules from an LDAP server.
+ </para>
+ <para>
+<programlisting>
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = EXAMPLE
+
+[domain/EXAMPLE]
+id_provider = ldap
+sudo_provider = ldap
+ldap_uri = ldap://example.com
+ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
+</programlisting>
+ </para>
+ <para>
+ The following example illustrates setting up SSSD to download
+ sudo rules from an IPA server. It is necessary to use the LDAP
+ provider and set appropriate connection parameters to authenticate
+ correctly against the IPA server, because SSSD does not have native
+ support of IPA provider for sudo yet.
+ </para>
+ <para>
+<programlisting>
+[sssd]
+config_file_version = 2
+services = nss, pam, sudo
+domains = EXAMPLE
+
+[domain/EXAMPLE]
+id_provider = ipa
+ipa_domain = example.com
+ipa_server = ipa.example.com
+ldap_tls_cacert = /etc/ipa/ca.crt
+
+sudo_provider = ldap
+ldap_uri = ldap://ipa.example.com
+ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
+ldap_sasl_mech = GSSAPI
+ldap_sasl_authid = host/hostname.example.com
+ldap_sasl_realm = EXAMPLE.COM
+krb5_server = ipa.example.com
+</programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='cache'>
+ <title>The SUDO rule caching mechanism</title>
+ <para>
+ The biggest challenge, when developing sudo support in SSSD, was to
+ ensure that running sudo with SSSD as the data source provides the
+ same user experience and is as fast as sudo but keeps providing
+ the most current set of rules as possible. To satisfy these
+ requirements, SSSD uses three kinds of updates. They are referred to
+ as full refresh, smart refresh and rules refresh.
+ </para>
+ <para>
+ The <emphasis>smart refresh</emphasis> periodically downloads rules
+ that are new or were modified after the last update. Its primary
+ goal is to keep the database growing by fetching only small
+ increments that do not generate large amounts of network traffic.
+ </para>
+ <para>
+ The <emphasis>full refresh</emphasis> simply deletes all sudo rules
+ stored in the cache and replaces them with all rules that are stored
+ on the server. This is used to keep the cache consistent by removing
+ every rule which was deleted from the server. Hovewer, full refresh
+ may produce a lot of traffic and thus it should be run only
+ occasionally depending on the size and stability of the sudo rules.
+ </para>
+ <para>
+ The <emphasis>rules refresh</emphasis> ensures that we do not grant
+ the user more permission than defined. It is triggered each time the
+ user runs sudo. Rules refresh will find all rules that apply to this
+ user, check their expiration time and redownload them if expired.
+ In the case that any of these rules are missing on the server, the
+ SSSD will do an out of band full refresh because more rules
+ (that apply to other users) may have been deleted.
+ </para>
+ <para>
+ If enabled, SSSD will store only rules that can be applied to this
+ machine. This means rules that contain one of the following values
+ in <emphasis>sudoHost</emphasis> attribute:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ keyword ALL
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ regular expression
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ netgroup (in the form "+netgroup")
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ hostname or fully qualified domain name of this machine
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ one of the IP addresses of this machine
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ one of the IP addresses of the network
+ (in the form "address/mask")
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ There are many configuration options that can be used to adjust
+ the behaviour. Please refer to "ldap_sudo_*" in
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> and "sudo_*" in
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>