From Fedora Project Wiki
(Created page with "<!-- All fields on this form are required to be accepted by FESCo. We also request that you maintain the same order of sections so that all of the feature pages are uniform. --...")
 
No edit summary
 
(10 intermediate revisions by 4 users not shown)
Line 7: Line 7:


== Summary ==
== Summary ==
Provide means of looking up sudoers rules stored in remote directories such as LDAP via SSSD instead of direct LDAP lookups.
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
<!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->


== Owner ==
== Owner ==
<!--This should link to your home wiki page so we know who you are-->
<!--This should link to your home wiki page so we know who you are-->
* Name: [[User:FASAcountName| Your Name]]
* Name: [[User:pbrezina| Pavel Březina]]
* Email: pbrezina@redhat.com
* Name: [[User:sgallagh| Stephen Gallager]]
* Email: sgallagh@redhat.com
* Name: [[User:jhrozek| Jakub Hrozek]]
* Email: jhrozek@redhat.com
* Name: [[User:dkopecek| Daniel Kopeček]]
* Email: dkopecek@redhat.com


<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
* Email: <your email address so we can contact you, invite you to meetings, etc.>


== Current status ==
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]  
* Targeted release: [[Releases/17 | Fedora 17 ]]  
* Last updated: (DATE)
* Last updated: 2012-Mar-31
* Percentage of completion: XX%
* Percentage of completion: 100%
** packages were built in Fedora:
*** sssd-1.8.0-1.fc17.beta1
*** sudo-1.8.3p1-4.fc17


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->


== Detailed Description ==
== Detailed Description ==
In addition to the standard sudoers file, sudo may be configured via LDAP. This is very useful in large environments to provide centralized sudoers storage.
However, sudo performs all the lookups on its own, communicating directly with the remote directory. The goal of this feature is to extend sudo so that instead of talking directly to the LDAP server, it would communicate with SSSD's sudo responder process.
SSSD would provide access to the remote directory, while sudo would leverage all the benefits SSSD brings over performing the lookups in sudo directly. The major benefit is that sudo could take advantage of SSSD's caching capabilities. That would enable sudo to operate even if the remote directory is not reachable.
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->


== Benefit to Fedora ==
== Benefit to Fedora ==
The benefits of the integration are:
* offline access - sudoers rules would be stored in a persistent cache, allowing sudo to fetch the rules seamlessly even in cases when the LDAP server is not reachable such as user roaming with a laptop.
* unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
* sudo would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
* only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
* caching of the rules - less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
* back end abstraction - data may be stored in NIS or other databases and accessed by the sudo transparently
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->


== Scope ==
== Scope ==
This feature requires changes to both SSSD and sudo:
* SSSD needs to create a new responder process that would listen on a UNIX socket, process requests, and send back data. The LDAP back end process needs to be extended to look up sudoers data.
* Sudo needs to extend the sudoers plugin to send requests for sudo rules to SSSD and extract the rules from data it gets back from SSSD
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
== How To Test ==
In general, using sudoers rules stored in LDAP should work as it used to with the original direct LDAP lookups, there should be no changes in behavior. The user should be able to test offline support by shutting down the LDAP server - sudo should still work in that case.
To configure Sudo using SSSD for lookups, the user needs an LDAP server that contains a couple of rules for a particular user or a group. Refer to the [http://www.gratisoft.us/sudo/sudoers.ldap.man.html sudoers manual] for more details on the LDIF format of the rules.
* install the appropriate packages
** sssd-1.8.0-1.fc17.beta1 or newer
** sudo-1.8.3p1-4.fc17 or newer
* configure Sudo to use the SSS back end
** put <code>sudoers: sss</code> into <code>/etc/nsswitch.conf</code>
* configure SSSD to run the Sudo responder and look up sudoers rules from an LDAP server
** put a new record <code>sudo</code> into the <code>services</code> option in the <code>[sssd]</code> section of <code>sssd.conf</code>
** specify the search base SSSD should look into using the <code>ldap_sudo_search_base</code> option in the domain section of <code>sssd.conf</code>
** restart SSSD
* test the online support
** log in as a user allowed to run sudo
** run <code>sudo -l</code>. You should see the list of sudo rules you are allowed to run
* test the offline support:
** turn off the <code>network</code> service or NetworkManager or shut down your LDAP server
** sudo should still be able to look up the rules from SSSD. SSSD would return the rules from its cache instead of the server.


== How To Test ==
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  


Line 48: Line 93:


== User Experience ==
== User Experience ==
In case the LDAP server is not reachable, sssd would seamlessly fall back to serving sudoers data from cache, allowing the user to continue using sudo. The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user might also notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time.
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->


== Dependencies ==
== Dependencies ==
As stated above, this feature depends on changes in both sudo and SSSD. There are no other external dependencies.
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->


== Contingency Plan ==
== Contingency Plan ==
None required, Fedora would keep using the LDAP lookup module in sudo.
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->


== Documentation ==
== Documentation ==
See <code>man sssd-ldap</code> and <code>man sssd.conf</code>. Search for options that contain "sudo".
There is a [http://jhrozek.livejournal.com/2065.html blog post] with some user-centric documentation and a guide that explains how to migrate to an SSSD-backed setup.
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
*


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
Fedora 17 enables sudo to look up sudoers rules stored in LDAP using SSSD. The SSSD daemon caches the data, providing offline support for sudo, which means that sudo is able to function even without access to the LDAP server. Unifying the configuration in <code>sssd.conf</code> also brings the benefit of providing advanced features such as server fail over and fine-grained cache settings.


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/SSSDSudoIntegration]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->




[[Category:FeaturePageIncomplete]]
[[Category:FeatureAcceptedF17]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 01:43, 1 April 2012


SSSD-Sudo Integration

Summary

Provide means of looking up sudoers rules stored in remote directories such as LDAP via SSSD instead of direct LDAP lookups.

Owner


Current status

  • Targeted release: Fedora 17
  • Last updated: 2012-Mar-31
  • Percentage of completion: 100%
    • packages were built in Fedora:
      • sssd-1.8.0-1.fc17.beta1
      • sudo-1.8.3p1-4.fc17


Detailed Description

In addition to the standard sudoers file, sudo may be configured via LDAP. This is very useful in large environments to provide centralized sudoers storage.

However, sudo performs all the lookups on its own, communicating directly with the remote directory. The goal of this feature is to extend sudo so that instead of talking directly to the LDAP server, it would communicate with SSSD's sudo responder process.

SSSD would provide access to the remote directory, while sudo would leverage all the benefits SSSD brings over performing the lookups in sudo directly. The major benefit is that sudo could take advantage of SSSD's caching capabilities. That would enable sudo to operate even if the remote directory is not reachable.

Benefit to Fedora

The benefits of the integration are:

  • offline access - sudoers rules would be stored in a persistent cache, allowing sudo to fetch the rules seamlessly even in cases when the LDAP server is not reachable such as user roaming with a laptop.
  • unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
  • sudo would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
  • only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
  • caching of the rules - less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
  • back end abstraction - data may be stored in NIS or other databases and accessed by the sudo transparently

Scope

This feature requires changes to both SSSD and sudo:

  • SSSD needs to create a new responder process that would listen on a UNIX socket, process requests, and send back data. The LDAP back end process needs to be extended to look up sudoers data.
  • Sudo needs to extend the sudoers plugin to send requests for sudo rules to SSSD and extract the rules from data it gets back from SSSD

How To Test

In general, using sudoers rules stored in LDAP should work as it used to with the original direct LDAP lookups, there should be no changes in behavior. The user should be able to test offline support by shutting down the LDAP server - sudo should still work in that case.

To configure Sudo using SSSD for lookups, the user needs an LDAP server that contains a couple of rules for a particular user or a group. Refer to the sudoers manual for more details on the LDIF format of the rules.

  • install the appropriate packages
    • sssd-1.8.0-1.fc17.beta1 or newer
    • sudo-1.8.3p1-4.fc17 or newer
  • configure Sudo to use the SSS back end
    • put sudoers: sss into /etc/nsswitch.conf
  • configure SSSD to run the Sudo responder and look up sudoers rules from an LDAP server
    • put a new record sudo into the services option in the [sssd] section of sssd.conf
    • specify the search base SSSD should look into using the ldap_sudo_search_base option in the domain section of sssd.conf
    • restart SSSD
  • test the online support
    • log in as a user allowed to run sudo
    • run sudo -l. You should see the list of sudo rules you are allowed to run
  • test the offline support:
    • turn off the network service or NetworkManager or shut down your LDAP server
    • sudo should still be able to look up the rules from SSSD. SSSD would return the rules from its cache instead of the server.


User Experience

In case the LDAP server is not reachable, sssd would seamlessly fall back to serving sudoers data from cache, allowing the user to continue using sudo. The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user might also notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time.

Dependencies

As stated above, this feature depends on changes in both sudo and SSSD. There are no other external dependencies.

Contingency Plan

None required, Fedora would keep using the LDAP lookup module in sudo.

Documentation

See man sssd-ldap and man sssd.conf. Search for options that contain "sudo".

There is a blog post with some user-centric documentation and a guide that explains how to migrate to an SSSD-backed setup.


Release Notes

Fedora 17 enables sudo to look up sudoers rules stored in LDAP using SSSD. The SSSD daemon caches the data, providing offline support for sudo, which means that sudo is able to function even without access to the LDAP server. Unifying the configuration in sssd.conf also brings the benefit of providing advanced features such as server fail over and fine-grained cache settings.

Comments and Discussion