How to use LDAP to store sudoer information
We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?
We are using Fedora 12 on both LDAP server and working servers.
ldap sudoers
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
add a comment |
We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?
We are using Fedora 12 on both LDAP server and working servers.
ldap sudoers
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
add a comment |
We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?
We are using Fedora 12 on both LDAP server and working servers.
ldap sudoers
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?
We are using Fedora 12 on both LDAP server and working servers.
ldap sudoers
ldap sudoers
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
asked Dec 6 '10 at 17:36
ericzmaericzma
5181512
5181512
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.
- Make sure
sudois built with LDAP support. - Update the LDAP schema.
- Import
sudoersfile into LDAP. - Configure the
sudoersservice innsswitch.conf.
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)
– Saqib Ali
Oct 5 '16 at 19:57
README.LDAPlink is dead, so assudoers.ldaplink.
– Dimitri Kopriwa
Sep 8 '18 at 0:26
add a comment |
Add sudo entry like below
dn: ou=sudoers,ou=people,dc=example,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit
dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogroup
sudoUser: thomas
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL
Add sudoers_base in ldap.conf for client.
sudoers_base ou=sudoers,ou=people,dc=example,dc=com
& Edit /etc/nsswitch.conf like below
sudoers : files ldap
answered Jan 17 '12 at 2:07
atolaniatolani
1743
Do you have any reference we can rely on to understand that configuration?
– Dimitri Kopriwa
Sep 7 '18 at 20:05
add a comment |
These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.
- Make sure
sudois built with LDAP support. (see README.LDAP or this) - Add the sudo schema to the LDAP server by editing
slapd.confto addinclude /etc/openldap/schema/sudo.schema. Note that this file must be copied from/usr/share/doc/sudo/schema.OpenLDAP(see README.LDAP). - Per README.LDAP, direct the LDAP server to index the attribute
sudoUserby adding the lineindex sudoUser eqtoslapd.conf, and restart the LDAP server.
Add the ou=SUDOers container to the database. This can be done by passing in the following via
ldapadd:
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
Convert the existing
sudoersfile to LDIF format withcvtsudoersadd it to the database withldapadd(see README.LDAP). The configuration could, of course, be generated from scratch instead.- Creat (or edit)
ldap.conf(/etc/openldap/ldap.confon Arch) on the client to addsudoers_base ou=SUDOers,dc=example,dc=comto make sudo LDAP-aware (seesudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice. - Edit
sudoersservice innsswitch.confto besudoers: files ldap, or tosudoers: files sssif caching withSSSD(seesudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemdsssd-sudo.socketmust be enabled (see manual page for SSSD-SUDO))
answered Feb 3 at 0:22
eponymouseponymous
284
add a comment |
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f219077%2fhow-to-use-ldap-to-store-sudoer-information%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.
- Make sure
sudois built with LDAP support. - Update the LDAP schema.
- Import
sudoersfile into LDAP. - Configure the
sudoersservice innsswitch.conf.
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)
– Saqib Ali
Oct 5 '16 at 19:57
README.LDAPlink is dead, so assudoers.ldaplink.
– Dimitri Kopriwa
Sep 8 '18 at 0:26
add a comment |
Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.
- Make sure
sudois built with LDAP support. - Update the LDAP schema.
- Import
sudoersfile into LDAP. - Configure the
sudoersservice innsswitch.conf.
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)
– Saqib Ali
Oct 5 '16 at 19:57
README.LDAPlink is dead, so assudoers.ldaplink.
– Dimitri Kopriwa
Sep 8 '18 at 0:26
add a comment |
Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.
- Make sure
sudois built with LDAP support. - Update the LDAP schema.
- Import
sudoersfile into LDAP. - Configure the
sudoersservice innsswitch.conf.
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.
- Make sure
sudois built with LDAP support. - Update the LDAP schema.
- Import
sudoersfile into LDAP. - Configure the
sudoersservice innsswitch.conf.
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
answered Dec 6 '10 at 20:33
grawitygrawity
242k37511568
242k37511568
Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)
– Saqib Ali
Oct 5 '16 at 19:57
README.LDAPlink is dead, so assudoers.ldaplink.
– Dimitri Kopriwa
Sep 8 '18 at 0:26
add a comment |
Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)
– Saqib Ali
Oct 5 '16 at 19:57
README.LDAPlink is dead, so assudoers.ldaplink.
– Dimitri Kopriwa
Sep 8 '18 at 0:26
Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)
– Saqib Ali
Oct 5 '16 at 19:57
Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)
– Saqib Ali
Oct 5 '16 at 19:57
README.LDAP link is dead, so as sudoers.ldap link.– Dimitri Kopriwa
Sep 8 '18 at 0:26
README.LDAP link is dead, so as sudoers.ldap link.– Dimitri Kopriwa
Sep 8 '18 at 0:26
add a comment |
Add sudo entry like below
dn: ou=sudoers,ou=people,dc=example,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit
dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogroup
sudoUser: thomas
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL
Add sudoers_base in ldap.conf for client.
sudoers_base ou=sudoers,ou=people,dc=example,dc=com
& Edit /etc/nsswitch.conf like below
sudoers : files ldap
answered Jan 17 '12 at 2:07
atolaniatolani
1743
Do you have any reference we can rely on to understand that configuration?
– Dimitri Kopriwa
Sep 7 '18 at 20:05
add a comment |
Add sudo entry like below
dn: ou=sudoers,ou=people,dc=example,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit
dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogroup
sudoUser: thomas
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL
Add sudoers_base in ldap.conf for client.
sudoers_base ou=sudoers,ou=people,dc=example,dc=com
& Edit /etc/nsswitch.conf like below
sudoers : files ldap
answered Jan 17 '12 at 2:07
atolaniatolani
1743
Do you have any reference we can rely on to understand that configuration?
– Dimitri Kopriwa
Sep 7 '18 at 20:05
add a comment |
Add sudo entry like below
dn: ou=sudoers,ou=people,dc=example,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit
dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogroup
sudoUser: thomas
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL
Add sudoers_base in ldap.conf for client.
sudoers_base ou=sudoers,ou=people,dc=example,dc=com
& Edit /etc/nsswitch.conf like below
sudoers : files ldap
answered Jan 17 '12 at 2:07
atolaniatolani
1743
Add sudo entry like below
dn: ou=sudoers,ou=people,dc=example,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit
dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudogroup
sudoUser: thomas
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL
Add sudoers_base in ldap.conf for client.
sudoers_base ou=sudoers,ou=people,dc=example,dc=com
& Edit /etc/nsswitch.conf like below
sudoers : files ldap
answered Jan 17 '12 at 2:07
atolaniatolani
1743
edited Mar 7 '12 at 18:58
answered Jan 17 '12 at 2:07
atolaniatolani
1743
answered Jan 17 '12 at 2:07
atolaniatolani
1743
answered Jan 17 '12 at 2:07
atolaniatolani
1743
1743
Do you have any reference we can rely on to understand that configuration?
– Dimitri Kopriwa
Sep 7 '18 at 20:05
add a comment |
Do you have any reference we can rely on to understand that configuration?
– Dimitri Kopriwa
Sep 7 '18 at 20:05
Do you have any reference we can rely on to understand that configuration?
– Dimitri Kopriwa
Sep 7 '18 at 20:05
Do you have any reference we can rely on to understand that configuration?
– Dimitri Kopriwa
Sep 7 '18 at 20:05
add a comment |
These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.
- Make sure
sudois built with LDAP support. (see README.LDAP or this) - Add the sudo schema to the LDAP server by editing
slapd.confto addinclude /etc/openldap/schema/sudo.schema. Note that this file must be copied from/usr/share/doc/sudo/schema.OpenLDAP(see README.LDAP). - Per README.LDAP, direct the LDAP server to index the attribute
sudoUserby adding the lineindex sudoUser eqtoslapd.conf, and restart the LDAP server.
Add the ou=SUDOers container to the database. This can be done by passing in the following via
ldapadd:
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
Convert the existing
sudoersfile to LDIF format withcvtsudoersadd it to the database withldapadd(see README.LDAP). The configuration could, of course, be generated from scratch instead.- Creat (or edit)
ldap.conf(/etc/openldap/ldap.confon Arch) on the client to addsudoers_base ou=SUDOers,dc=example,dc=comto make sudo LDAP-aware (seesudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice. - Edit
sudoersservice innsswitch.confto besudoers: files ldap, or tosudoers: files sssif caching withSSSD(seesudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemdsssd-sudo.socketmust be enabled (see manual page for SSSD-SUDO))
answered Feb 3 at 0:22
eponymouseponymous
284
add a comment |
These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.
- Make sure
sudois built with LDAP support. (see README.LDAP or this) - Add the sudo schema to the LDAP server by editing
slapd.confto addinclude /etc/openldap/schema/sudo.schema. Note that this file must be copied from/usr/share/doc/sudo/schema.OpenLDAP(see README.LDAP). - Per README.LDAP, direct the LDAP server to index the attribute
sudoUserby adding the lineindex sudoUser eqtoslapd.conf, and restart the LDAP server.
Add the ou=SUDOers container to the database. This can be done by passing in the following via
ldapadd:
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
Convert the existing
sudoersfile to LDIF format withcvtsudoersadd it to the database withldapadd(see README.LDAP). The configuration could, of course, be generated from scratch instead.- Creat (or edit)
ldap.conf(/etc/openldap/ldap.confon Arch) on the client to addsudoers_base ou=SUDOers,dc=example,dc=comto make sudo LDAP-aware (seesudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice. - Edit
sudoersservice innsswitch.confto besudoers: files ldap, or tosudoers: files sssif caching withSSSD(seesudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemdsssd-sudo.socketmust be enabled (see manual page for SSSD-SUDO))
answered Feb 3 at 0:22
eponymouseponymous
284
add a comment |
These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.
- Make sure
sudois built with LDAP support. (see README.LDAP or this) - Add the sudo schema to the LDAP server by editing
slapd.confto addinclude /etc/openldap/schema/sudo.schema. Note that this file must be copied from/usr/share/doc/sudo/schema.OpenLDAP(see README.LDAP). - Per README.LDAP, direct the LDAP server to index the attribute
sudoUserby adding the lineindex sudoUser eqtoslapd.conf, and restart the LDAP server.
Add the ou=SUDOers container to the database. This can be done by passing in the following via
ldapadd:
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
Convert the existing
sudoersfile to LDIF format withcvtsudoersadd it to the database withldapadd(see README.LDAP). The configuration could, of course, be generated from scratch instead.- Creat (or edit)
ldap.conf(/etc/openldap/ldap.confon Arch) on the client to addsudoers_base ou=SUDOers,dc=example,dc=comto make sudo LDAP-aware (seesudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice. - Edit
sudoersservice innsswitch.confto besudoers: files ldap, or tosudoers: files sssif caching withSSSD(seesudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemdsssd-sudo.socketmust be enabled (see manual page for SSSD-SUDO))
answered Feb 3 at 0:22
eponymouseponymous
284
These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.
- Make sure
sudois built with LDAP support. (see README.LDAP or this) - Add the sudo schema to the LDAP server by editing
slapd.confto addinclude /etc/openldap/schema/sudo.schema. Note that this file must be copied from/usr/share/doc/sudo/schema.OpenLDAP(see README.LDAP). - Per README.LDAP, direct the LDAP server to index the attribute
sudoUserby adding the lineindex sudoUser eqtoslapd.conf, and restart the LDAP server.
Add the ou=SUDOers container to the database. This can be done by passing in the following via
ldapadd:
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
Convert the existing
sudoersfile to LDIF format withcvtsudoersadd it to the database withldapadd(see README.LDAP). The configuration could, of course, be generated from scratch instead.- Creat (or edit)
ldap.conf(/etc/openldap/ldap.confon Arch) on the client to addsudoers_base ou=SUDOers,dc=example,dc=comto make sudo LDAP-aware (seesudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice. - Edit
sudoersservice innsswitch.confto besudoers: files ldap, or tosudoers: files sssif caching withSSSD(seesudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemdsssd-sudo.socketmust be enabled (see manual page for SSSD-SUDO))
answered Feb 3 at 0:22
eponymouseponymous
284
answered Feb 3 at 0:22
eponymouseponymous
284
answered Feb 3 at 0:22
eponymouseponymous
284
answered Feb 3 at 0:22
eponymouseponymous
284
284
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f219077%2fhow-to-use-ldap-to-store-sudoer-information%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
