Sudoers in LDAP


In addition to the standard sudoers file, sudo may be configured via LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment.
You need to have LDAP server and client configured, if you do not have already, see my previous posts. LDAP schema extension for sudo is also required on LDAP server, you can find it in sudo disribution. Do not forget to index sudoUser attribute. You need also LDAP support compiled in your sudo package.
Sudo reads the /etc/sudo-ldap.conf file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not sudo-specific. Note that sudo parses /etc/sudo-ldap.conf itself and may support options that differ from those described in the system’s ldap.conf(8) manual.
Here are some sudo specific settings in Linux:

SUDOERS_BASE base
SUDOERS_SEARCH_FILTER ldap_filter
SUDOERS_TIMED on/true/yes/off/false/no
SUDOERS_DEBUG debug_level

TCMsudo package for Solaris 10 (TCMsudo-ldap-1.8.15-sparc.pkg), which I installed stores configuration in /etc/ldap.conf, I configured there only tls_cert path, LDAP URI and search base:

ssl on
tls_cert /var/ldap
uri ldaps://ldapsrvp01/ ldaps://ldapsrvp02/
sudoers_base ou=sudoers,dc=mycompany,dc=com

you can also set sudoers_debug there if you need to investigate how it behaves.
On the server side you can also set SERVICE_SEARCH_DESCRIPTOR in Solaris LDAP profile, but I observed that it is not (always) necessary.

SERVICE_SEARCH_DESCRIPTOR sudoers:ou=sudoers,dc=mycompany,dc=com

The base sudo entry in Directory Information Tree is a standard OU entry:

dn: ou=sudoers,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: sudoers

Below this entry you should define defaults for sudo as follows:

dn: cn=defaults,ou=sudoers,dc=mycompany,dc=com
objectClass: sudoRole
objectClass: top
cn: defaults
description: Default sudoOption's go here
sudoOption: logfile=/var/log/sudo.log
sudoOption: iolog_dir=/var/log/sudo-io/%{user}
sudoOption: log_input
sudoOption: log_output
sudoOption: always_set_home

You can also use a perl script called ‘sudoers2ldif’, which is included in sudoers package (/usr/share/doc/sudoers or /usr/local/share/doc/sudo). This script can create sudo defaults entry and also migrate given sudoers file to LDIF, which can be imported to LDAP.
To use LDAP sudoers in system you need to add ldap source to Name Service Switch, e.g.:

% grep sudo /etc/nsswitch.conf
sudoers:    files ldap

Useful links:
https://linux.die.net/man/5/sudoers.ldap
https://www.sudo.ws/sudo/readme_ldap.html
https://www.sudo.ws/man/1.8.13/sudoers.man.html
Troubleshooting:
https://serverfault.com/questions/444219/troubleshooting-sudoers-via-ldap

You may also like...

Leave a Reply