OpenLDAP and sudo

From Notes

Jump to: navigation, search

Make sure you have the ldap schema included on the server side. This will allow for the addition of sudorole objects.

dn: cn=admins,ou=sudoers,dc=example,dc=org
description: Allow admins to do anything without a password.
objectClass: top
objectClass: sudoRole
cn: admins
sudoUser: %admins
sudoUser: %all-admins
sudoUser: %host-admins
sudoUser: root
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: NOPASSWD: ALL

Configure clients to query ldap for sudoers information by editing /etc/ldap.conf:

# Setup ldap-based sudoers config
sudoers_base   ou=SUDOers,dc=example,dc=org

Debugging can be set in /etc/ldap.conf by using the following parameter:

# 0 = off
# 1 = moderate debugging
# 2 = results of matching
sudoers_debug [0|1|2]

Issues

I have issues getting hosts configured to use winbind to work. I can enumerate local sudoers info but not LDAP based sudo roles.

References

Official sudo LDAP readme

Retrieved from "http://www.itsecureadmin.com/wiki/index.php/OpenLDAP_and_sudo"

Views

Personal tools

Log in

Search

Toolbox