-->
  • Recent Articles

    How to add "ALL=(ALL) ALL" access in the FreeIPA

    How to  add "ALL=(ALL)       ALL" access in the FreeIPA


    There are some scenarios where you need to give a user access to run all commands or a group of users to run all commands. Which we can achieve using the following line in sudoers file.

    %wheel  ALL=(ALL)       ALL

    We can do the similar configuration using FreeIPA "sudorule-add" or using FreeIPA GUI.

    [root@freeipa /]#  ipa sudorule-add --help
    Usage: ipa [global-options] sudorule-add SUDORULE-NAME [options]

    Create new Sudo Rule.
    Options:
      -h, --help            show this help message and exit
      --desc=STR            Description
      --usercat=['all']     User category the rule applies to
      --hostcat=['all']     Host category the rule applies to
      --cmdcat=['all']      Command category the rule applies to
      --runasusercat=['all']
                            RunAs User category the rule applies to
      --runasgroupcat=['all']
                            RunAs Group category the rule applies to
      --order=INT           integer to order the Sudo rules
      --externaluser=STR    External User the rule applies to (sudorule-find only)
      --runasexternaluser=STR
                            External User the commands can run as (sudorule-find
                            only)
      --runasexternalgroup=STR
                            External Group the commands can run as (sudorule-find
                            only)
      --setattr=STR         Set an attribute to a name/value pair. Format is
                            attr=value. For multi-valued attributes, the command
                            replaces the values already present.
      --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                            attribute must be part of the schema.
      --all                 Retrieve and print all attributes from the server.
                            Affects command output.
      --raw                 Print entries as stored on the server. Only affects
                            output format.
      --no-members          Suppress processing of membership attributes.
    [root@freeipa /]#


    We need to create a "sudo rule" using these options. We need to define category as per our requirement.

    ipa sudorule-add --cmdcat=all allcomman

    If you need to select a user group or a command group you can define that category as-well.

    ipa sudorule-add --cmdcat=all --hostcat=webhosts allcomman

    Check if your rule is created or not:

    ipa sudorule-find All


    [root@freeipa /]# ipa sudorule-find All
    -------------------
    1 Sudo Rule matched
    -------------------
      Rule name: allcomman
      Enabled: TRUE
      Command category: all
    ----------------------------
    Number of entries returned 1
    ----------------------------
    [root@freeipa /]#

    GUI:

    If you want to achieve the same thing on FreeIPA Website, we need to following steps:

    Go  to Policy --> sudo , then create a sudo rule.


    freeIPA

    In the "Run Commands" section Choose "Any Command" and Click On "save" on top.




    How to Configure 2 factor Authentication or OTP  in FreeIPA

    How to Install FreeIPA in CentOS 8 and add a Client
    How to Add FreeIPA User in command line interface (CLI) and Web UI

    More

    No comments