From 8a2a49333b7df3a4b86db42cd20ec8286d2788d3 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Mon, 23 Jul 2012 15:46:31 +0200 Subject: manpage: sssd-sudo - documents how sudo works with sssd https://fedorahosted.org/sssd/ticket/1418 --- contrib/sssd.spec.in | 1 + src/man/Makefile.am | 4 + src/man/include/seealso.xml | 6 ++ src/man/po/po4a.cfg | 1 + src/man/sssd-sudo.5.xml | 210 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 222 insertions(+) create mode 100644 src/man/sssd-sudo.5.xml diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index efabc860..b444b86d 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -369,6 +369,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/sssd-krb5.5* %{_mandir}/man5/sssd-ldap.5* %{_mandir}/man5/sssd-simple.5* +%{_mandir}/man5/sssd-sudo.5* %{_mandir}/man8/sssd.8* %if (0%{?enable_experimental} == 1) %{_mandir}/man1/sss_ssh_authorizedkeys.1* diff --git a/src/man/Makefile.am b/src/man/Makefile.am index ca1a2261..4ed76c8a 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -48,6 +48,10 @@ if BUILD_SSH man_MANS += sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1 endif +if BUILD_SUDO +man_MANS += sssd-sudo.5 +endif + SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 .1.xml.1: $(XMLLINT) $(XMLLINT_FLAGS) $< diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml index 6fa7359f..80c228e3 100644 --- a/src/man/include/seealso.xml +++ b/src/man/include/seealso.xml @@ -22,6 +22,12 @@ sssd-ad5 , + + + sssd-sudo + 5 + , + sss_cache8 , diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg index cc84578e..1f05c7a4 100644 --- a/src/man/po/po4a.cfg +++ b/src/man/po/po4a.cfg @@ -8,6 +8,7 @@ [type:docbook] sssd-simple.5.xml $lang:$(builddir)/$lang/sssd-simple.5.xml [type:docbook] sssd-ipa.5.xml $lang:$(builddir)/$lang/sssd-ipa.5.xml [type:docbook] sssd-ad.5.xml $lang:$(builddir)/$lang/sssd-ad.5.xml +[type:docbook] sssd-sudo.5.xml $lang:$(builddir)/$lang/sssd-sudo.5.xml [type:docbook] sssd.8.xml $lang:$(builddir)/$lang/sssd.8.xml [type:docbook] sss_obfuscate.8.xml $lang:$(builddir)/$lang/sss_obfuscate.8.xml [type:docbook] sss_useradd.8.xml $lang:$(builddir)/$lang/sss_useradd.8.xml diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml new file mode 100644 index 00000000..c5fa2cc4 --- /dev/null +++ b/src/man/sssd-sudo.5.xml @@ -0,0 +1,210 @@ + + + +SSSD Manual pages + + + + + sssd-sudo + 5 + File Formats and Conventions + + + + sssd-sudo + the configuration file for SSSD + + + + DESCRIPTION + + This manual page describes how to configure + + sudo + 8 + to work with + + sssd + 8 + and how SSSD caches sudo rules. + + + + + Configuring sudo to cooperate with SSSD + + To enable SSSD as a source for sudo rules, add + sss to the sudoers entry + in + + nsswitch.conf + 5 + . + + + For example, to configure sudo to first lookup rules in the standard + + sudoers + 5 + file (which should contain rules that apply to + local users) and then in SSSD, the nsswitch.conf file should contain + the following line: + + + +sudoers: files sss + + + + More information about configuring the sudoers search order from the + nsswitch.conf file as well as information about the LDAP schema that + is used to store sudo rules in the directory can be found in + + sudoers.ldap + 5 + . + + + + + Configuring SSSD to fetch sudo rules + + The following example shows how to configure SSSD to download sudo + rules from an LDAP server. + + + +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = EXAMPLE + +[domain/EXAMPLE] +id_provider = ldap +sudo_provider = ldap +ldap_uri = ldap://example.com +ldap_sudo_search_base = ou=sudoers,dc=example,dc=com + + + + The following example illustrates setting up SSSD to download + sudo rules from an IPA server. It is necessary to use the LDAP + provider and set appropriate connection parameters to authenticate + correctly against the IPA server, because SSSD does not have native + support of IPA provider for sudo yet. + + + +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = EXAMPLE + +[domain/EXAMPLE] +id_provider = ipa +ipa_domain = example.com +ipa_server = ipa.example.com +ldap_tls_cacert = /etc/ipa/ca.crt + +sudo_provider = ldap +ldap_uri = ldap://ipa.example.com +ldap_sudo_search_base = ou=sudoers,dc=example,dc=com +ldap_sasl_mech = GSSAPI +ldap_sasl_authid = host/hostname.example.com +ldap_sasl_realm = EXAMPLE.COM +krb5_server = ipa.example.com + + + + + + The SUDO rule caching mechanism + + The biggest challenge, when developing sudo support in SSSD, was to + ensure that running sudo with SSSD as the data source provides the + same user experience and is as fast as sudo but keeps providing + the most current set of rules as possible. To satisfy these + requirements, SSSD uses three kinds of updates. They are referred to + as full refresh, smart refresh and rules refresh. + + + The smart refresh periodically downloads rules + that are new or were modified after the last update. Its primary + goal is to keep the database growing by fetching only small + increments that do not generate large amounts of network traffic. + + + The full refresh simply deletes all sudo rules + stored in the cache and replaces them with all rules that are stored + on the server. This is used to keep the cache consistent by removing + every rule which was deleted from the server. Hovewer, full refresh + may produce a lot of traffic and thus it should be run only + occasionally depending on the size and stability of the sudo rules. + + + The rules refresh ensures that we do not grant + the user more permission than defined. It is triggered each time the + user runs sudo. Rules refresh will find all rules that apply to this + user, check their expiration time and redownload them if expired. + In the case that any of these rules are missing on the server, the + SSSD will do an out of band full refresh because more rules + (that apply to other users) may have been deleted. + + + If enabled, SSSD will store only rules that can be applied to this + machine. This means rules that contain one of the following values + in sudoHost attribute: + + + + + keyword ALL + + + + + regular expression + + + + + netgroup (in the form "+netgroup") + + + + + hostname or fully qualified domain name of this machine + + + + + one of the IP addresses of this machine + + + + + one of the IP addresses of the network + (in the form "address/mask") + + + + + There are many configuration options that can be used to adjust + the behaviour. Please refer to "ldap_sudo_*" in + + sssd-ldap + 5 + and "sudo_*" in + + sssd.conf + 5 + . + + + + + + + -- cgit