A minimal setup for managing SUDO rules centrally on a directory server
On directory server, enable SUDO schema and create the following entities, the example sits under dc=vm,dc=net
context and enables user test
to run SUDO on any host:
dn: ou=SUDOers,dc=vm,dc=net objectClass: top objectClass: organizationalunit ou: SUDOersdn: cn=defaults,ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
sudoOption: rootpwdn: cn=testrule,ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: sudoRole
cn: testrule
sudoUser: test
sudoHost: ALL
sudoCommand: ALL
On directory client:
- Edit
/etc/nsswitch.conf
and add linesudoers: ldap
into it. The line instructs C standard library to look for SUDO policy via LDAP. - Edit
/etc/ldap.conf
to add the following lines:
host 127.0.0.1 base dc=vm,dc=net sudoers_base ou=SUDOers,dc=vm,dc=netThe configuration file contains LDAP client configuration for operating system components, not to be confused with `/etc/openldap2/ldap.conf`that has default configuration for applications.