A minimal setup for managing SUDO rules centrally on a directory server

in linux •  6 months ago

On directory server, enable SUDO schema and create the following entities, the example sits under dc=vm,dc=net context and enables user test to run SUDO on any host:

dn: ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: organizationalunit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
sudoOption: rootpw

dn: cn=testrule,ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: sudoRole
cn: testrule
sudoUser: test
sudoHost: ALL
sudoCommand: ALL

On directory client:

  1. Edit /etc/nsswitch.conf and add line sudoers: ldap into it. The line instructs C standard library to look for SUDO policy via LDAP.
  2. Edit /etc/ldap.conf to add the following lines:
host 127.0.0.1
base dc=vm,dc=net
sudoers_base ou=SUDOers,dc=vm,dc=net
The configuration file contains LDAP client configuration for operating system components, not to be confused with `/etc/openldap2/ldap.conf`that has default configuration for applications.
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!