A minimal setup for managing SUDO rules centrally on a directory server

in #linux6 years ago

On directory server, enable SUDO schema and create the following entities, the example sits under dc=vm,dc=net context and enables user test to run SUDO on any host:

dn: ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: organizationalunit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
sudoOption: rootpw

dn: cn=testrule,ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: sudoRole
cn: testrule
sudoUser: test
sudoHost: ALL
sudoCommand: ALL

On directory client:

  1. Edit /etc/nsswitch.conf and add line sudoers: ldap into it. The line instructs C standard library to look for SUDO policy via LDAP.
  2. Edit /etc/ldap.conf to add the following lines:
base dc=vm,dc=net
sudoers_base ou=SUDOers,dc=vm,dc=net
The configuration file contains LDAP client configuration for operating system components, not to be confused with `/etc/openldap2/ldap.conf`that has default configuration for applications.

Coin Marketplace

STEEM 0.17
TRX 0.09
JST 0.023
BTC 27376.24
ETH 1633.57
USDT 1.00
SBD 2.23