FreeIPA: Edit User to have admin privileges

How-to: FreeIPA

Karl William

Jul 29, 2023

29th July 2023.

These are instructions on how to make your LDAP user able to run “sudo” on all your linux machines in your domain.

Source: https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-client-on-centos-7

Put the user in the Admins group…

Below groups are created by default at the installation and configuration of FreeIPA Server:

admins – Consist of all users with administrative privileges, including the default admin user
ipausers – Consist of all FreeIPA users
trust admins – Users with privileges to manage the Active Directory trusts

… With IPA WebGUI

Go to Identity > Users > click on your user, in my case Sysadm > User Groups > +Add

Add your user to the group admins

… With IPA CLI

[root@sauna-ipa /]# kinit admin
Password for admin@BASTUKLUBBEN.ONLINE:
[root@sauna-ipa /]# ipa group-add-member admins --user sysadm

Note: For more examples of CLI commands on how to add/delete/modify users and groups, I recommend this article:

https://computingforgeeks.com/manage-users-and-groups-in-freeipa-using-cli/?expand_article=1

Configure sudo rule

From the Web UI:

Click Policy > Sudo > Sudo Rules > Add
Name the Sudo Rule. For example: "Sudoers"
Go into the “Sudoers” rule. Under the Who > User Groups section, Click Add. Choose the admins group

Add user groups into sudo rule 'Sudoers'
Filter ovai/ab/e User Groups
Available
x
Filter
O
O
O
O
User Groups
editors
ipausers
trust admins
Prospective
CJ User Groups
g admins

To define the group members to be full admins for the entire FreeIPA domain:
Under Access this host, select Any host.
Under Run Commands, select Any Command.
Under As Whom, select Anyone and Any Group.

Note: This is where you could restrict which machines the user is allowed to run sudo on, the commands that can be run with sudo, and which users can be impersonated.

Access this host
Host category the rule applies to: @ Any Host O Specified Hosts and Groups
Hosts
Host Groups
Run Commands
Command category the rule applies to: @ Any Command O Specified Commands and Groups
Allow
Sudo Allow Commands
Sudo Allow Command Groups
Deny
Sudo Deny Commands
Sudo Deny Command Groups
As Whom
RunAs User category the rule applies to: @ Anyone O Specified Users and Groups
RunAs Users
Groups of RunAs Users
RunAs Group category the rule applies to: @ Any Group O Specified Groups
RunAs Groups

Your rule should now be active; however, it may take some time to propagate. You may have to restart the sshd service for sudo rules to take affect. To do this, you can run systemctl restart sshd.service on the IPA client.

As you can see, the user sysadm is allowed to run sudo commands:

sysadm@sauna-nms:~$ sudo service sshd status
[sudo] password for sysadm: 
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-07-26 19:54:30 UTC; 2 days ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 963 (sshd)
      Tasks: 1 (limit: 4555)
     Memory: 5.4M
        CPU: 196ms
     CGroup: /system.slice/ssh.service
             └─963 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Open Source Is Fun

Discussion about this post