{"id":729,"date":"2017-06-28T09:23:39","date_gmt":"2017-06-28T07:23:39","guid":{"rendered":"http:\/\/drfugazi.eu.org\/?p=729"},"modified":"2021-04-21T15:14:02","modified_gmt":"2021-04-21T13:14:02","slug":"sudoers-in-ldap","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/sudoers-in-ldap\/","title":{"rendered":"Sudoers in LDAP"},"content":{"rendered":"

\"\"<\/a>
\nIn addition to the standard sudoers file, sudo may be configured via LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment.
\nYou need to have LDAP server and client configured, if you do not have already, see my previous posts. LDAP schema extension for sudo is also required on LDAP server, you can find it in sudo disribution. Do not forget to index sudoUser attribute. You need also LDAP support compiled in your sudo package.
\nSudo reads the \/etc\/sudo-ldap.conf file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not sudo-specific. Note that sudo parses \/etc\/sudo-ldap.conf itself and may support options that differ from those described in the system’s ldap.conf(8) manual.
\nHere are some sudo specific settings in Linux:<\/p>\n

\r\nSUDOERS_BASE base\r\nSUDOERS_SEARCH_FILTER ldap_filter\r\nSUDOERS_TIMED on\/true\/yes\/off\/false\/no\r\nSUDOERS_DEBUG debug_level\r\n<\/pre>\n
TCMsudo package for Solaris 10 (TCMsudo-ldap-1.8.15-sparc.pkg), which I installed stores configuration in \/etc\/ldap.conf, I configured there only tls_cert path, LDAP URI and search base:<\/p>\n
\r\nssl on\r\ntls_cert \/var\/ldap\r\nuri ldaps:\/\/ldapsrvp01\/ ldaps:\/\/ldapsrvp02\/\r\nsudoers_base ou=sudoers,dc=mycompany,dc=com\r\n<\/pre>\n
you can also set sudoers_debug there if you need to investigate how it behaves.
\nOn the server side you can also set SERVICE_SEARCH_DESCRIPTOR in Solaris LDAP profile, but I observed that it is not (always) necessary.<\/p>\n
\r\nSERVICE_SEARCH_DESCRIPTOR sudoers:ou=sudoers,dc=mycompany,dc=com\r\n<\/pre>\n
The base sudo entry in Directory Information Tree is a standard OU entry:<\/p>\n
\r\ndn: ou=sudoers,dc=mycompany,dc=com\r\nobjectClass: top\r\nobjectClass: organizationalUnit\r\nou: sudoers\r\n<\/pre>\n
Below this entry you should define defaults for sudo as follows:<\/p>\n
\r\ndn: cn=defaults,ou=sudoers,dc=mycompany,dc=com\r\nobjectClass: sudoRole\r\nobjectClass: top\r\ncn: defaults\r\ndescription: Default sudoOption's go here\r\nsudoOption: logfile=\/var\/log\/sudo.log\r\nsudoOption: iolog_dir=\/var\/log\/sudo-io\/%{user}\r\nsudoOption: log_input\r\nsudoOption: log_output\r\nsudoOption: always_set_home\r\n<\/pre>\n
You can also use a perl script called ‘sudoers2ldif’, which is included in sudoers package (\/usr\/share\/doc\/sudoers or \/usr\/local\/share\/doc\/sudo). This script can create sudo defaults entry and also migrate given sudoers file to LDIF, which can be imported to LDAP.
\nTo use LDAP sudoers in system you need to add ldap source to Name Service Switch, e.g.:<\/p>\n
\r\n% grep sudo \/etc\/nsswitch.conf\r\nsudoers:    files ldap\r\n<\/pre>\n
Useful links:
\nhttps:\/\/linux.die.net\/man\/5\/sudoers.ldap<\/a>
\nhttps:\/\/www.sudo.ws\/sudo\/readme_ldap.html<\/a>
\nhttps:\/\/www.sudo.ws\/man\/1.8.13\/sudoers.man.html<\/a>
\nTroubleshooting:
\nhttps:\/\/serverfault.com\/questions\/444219\/troubleshooting-sudoers-via-ldap<\/a>
\n<\/p>","protected":false},"excerpt":{"rendered":"
In addition to the standard sudoers file, sudo may be configured via LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment. You need to have LDAP server and client...<\/p>\n","protected":false},"author":1,"featured_media":735,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115,98,108],"tags":[6,99,44,9],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2017\/06\/sudo-sudoers-make-me-sandwich.jpg?fit=360%2C299&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-bL","jetpack-related-posts":[{"id":228,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja-i-konfiguracja-openldap\/","url_meta":{"origin":729,"position":0},"title":"Instalacja i konfiguracja OpenLDAP","author":"drfugazi","date":"Monday November 22nd, 2010","format":false,"excerpt":"Instalacja i podstawowa konfiguracja us\u0142ugi katalogowej LDAP (OpenLDAP) na Ubuntu: drfugazi@charr:~% sudo aptitude install slapd ldap-utils Opis wzorowany jest na angielskim opisie dla Karmic Koala na HowtoForge. Ja jestem przyzwyczajony do konfigurowania LDAPa w pliku slapd.conf, ale to stara szko\u0142a. Tutaj dostajemy mo\u017cliwo\u015b\u0107 dynamicznej konfiguracji bez konieczno\u015bci restartu serwera LDAP.\u2026","rel":"","context":"In \"Konfiguracja\"","block_context":{"text":"Konfiguracja","link":"https:\/\/drfugazi.eu.org\/en\/tag\/konfiguracja\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":332,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja-i-konfiguracja-openldap\/","url_meta":{"origin":729,"position":1},"title":"Instalacja i konfiguracja OpenLDAP","author":"","date":"Monday November 22nd, 2010","format":false,"excerpt":"Instalacja i podstawowa konfiguracja us\u0142ugi katalogowej LDAP (OpenLDAP) na Ubuntu: drfugazi@charr:~% sudo aptitude install slapd ldap-utils Opis wzorowany jest na angielskim opisie dla Karmic Koala na HowtoForge. Ja jestem przyzwyczajony do konfigurowania LDAPa w pliku slapd.conf, ale to stara szko\u0142a. Tutaj dostajemy mo\u017cliwo\u015b\u0107 dynamicznej konfiguracji bez konieczno\u015bci restartu serwera LDAP.\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":232,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-dostarczania-poczty-w-oparciu-o-ldap\/","url_meta":{"origin":729,"position":2},"title":"Konfiguracja dostarczania poczty w oparciu o LDAP","author":"drfugazi","date":"Saturday December 18th, 2010","format":false,"excerpt":"Ostatnio pisa\u0142em o konfiguracji uwierzytelniania u\u017cytkownik\u00f3w w katalogu LDAP aby mogli odbiera\u0107 i wysy\u0142a\u0107 poczt\u0119. Teraz czas na konfiguracj\u0119 Postfixa aby t\u0119 poczt\u0119 dostarcza\u0142 do w\u0142a\u015bciwych domen i skrzynek. Je\u015bli kompilujecie\/instalujecie Postfixa samodzielnie, to nale\u017cy pami\u0119ta\u0107 o wkompilowaniu wsparcia dla LDAP oraz wskazaniu \u015bcie\u017cki do bibliotek LDAP. Ja p\u00f3jd\u0119 na\u2026","rel":"","context":"In \"LDAP\"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/tag\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":229,"url":"https:\/\/drfugazi.eu.org\/en\/konwersja-schematu-do-ldif\/","url_meta":{"origin":729,"position":3},"title":"Kowersja schematu LDAP do LDIF","author":"drfugazi","date":"Saturday November 27th, 2010","format":false,"excerpt":"Pot\u0119g\u0105 us\u0142ugi katalogowej LDAP jest mo\u017cliwo\u015b\u0107 definiowania w\u0142asnych atrybut\u00f3w, klas obiekt\u00f3w, regu\u0142 itp. i grupowania ich w tzw. schematy, kt\u00f3re mo\u017cna dodawa\u0107 do konfiguracji. Na dzie\u0144 dzisiejszy jednak wi\u0119kszo\u015b\u0107 schemat\u00f3w, kt\u00f3re znajdziecie w sieci jest zorganizowana w bloki zawieraj\u0105ce definicje atrybut\u00f3w i klas obiekt\u00f3w, wygl\u0105da to mniej wi\u0119cej tak: definicja\u2026","rel":"","context":"In \"Konfiguracja\"","block_context":{"text":"Konfiguracja","link":"https:\/\/drfugazi.eu.org\/en\/tag\/konfiguracja\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":599,"url":"https:\/\/drfugazi.eu.org\/en\/ldap-server-for-solaris-and-linux-clients\/","url_meta":{"origin":729,"position":4},"title":"LDAP server for Solaris and Linux clients","author":"drfugazi","date":"Thursday June  2nd, 2016","format":false,"excerpt":"Few months ago I received a task to set up LDAP authentication for Solaris 10, Solaris 11 and Linux machines in Customer's infrastructure. As LDAP server was chosen OpenLDAP 2.4.x in Master-Slave configuration with SSL\/TLS support. Servers was installed on Virtual Machines with CentOS 6.7. I will not describe LDAP\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":333,"url":"https:\/\/drfugazi.eu.org\/en\/konwersja-schematu-ldif\/","url_meta":{"origin":729,"position":5},"title":"Konwersja schematu do LDIF","author":"","date":"Saturday November 27th, 2010","format":false,"excerpt":"Pot\u0119g\u0105 us\u0142ugi katalogowej LDAP jest mo\u017cliwo\u015b\u0107 definiowania w\u0142asnych atrybut\u00f3w, klas obiekt\u00f3w, regu\u0142 itp. i grupowania ich w tzw. schematy, kt\u00f3re mo\u017cna dodawa\u0107 do konfiguracji. Na dzie\u0144 dzisiejszy jednak wi\u0119kszo\u015b\u0107 schemat\u00f3w, kt\u00f3re znajdziecie w sieci jest zorganizowana w bloki zawieraj\u0105ce definicje atrybut\u00f3w i klas obiekt\u00f3w, wygl\u0105da to mniej wi\u0119cej tak: definicja\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/729"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=729"}],"version-history":[{"count":7,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/729\/revisions"}],"predecessor-version":[{"id":782,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/729\/revisions\/782"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media\/735"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}