A minimal setup for managing SUDO rules centrally on a directory server

ghz (25)in #linux • 6 years ago

On directory server, enable SUDO schema and create the following entities, the example sits under dc=vm,dc=net context and enables user test to run SUDO on any host:

dn: ou=SUDOers,dc=vm,dc=net
objectClass: top
objectClass: organizationalunit
ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=vm,dc=net

objectClass: top

objectClass: sudoRole

cn: defaults

description: Default sudoOption's go here

sudoOption: env_keep+=SSH_AUTH_SOCK

sudoOption: rootpw
dn: cn=testrule,ou=SUDOers,dc=vm,dc=net

objectClass: top

objectClass: sudoRole

cn: testrule

sudoUser: test

sudoHost: ALL

sudoCommand: ALL

On directory client:

Edit /etc/nsswitch.conf and add line sudoers: ldap into it. The line instructs C standard library to look for SUDO policy via LDAP.
Edit /etc/ldap.conf to add the following lines:

host 127.0.0.1
base dc=vm,dc=net
sudoers_base ou=SUDOers,dc=vm,dc=net

The configuration file contains LDAP client configuration for operating system components, not to be confused with `/etc/openldap2/ldap.conf`that has default configuration for applications.

#sysadmin #ldap #directory

6 years ago in #linux by ghz (25)

$0.00

STEEM 0.19

TRX 0.13

JST 0.030

BTC 63824.30

ETH 3420.53

USDT 1.00

SBD 2.54

A minimal setup for managing SUDO rules centrally on a directory server

Coin Marketplace