How to use LDAP to store sudoer information












1















We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?



We are using Fedora 12 on both LDAP server and working servers.










share|improve this question



























    1















    We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?



    We are using Fedora 12 on both LDAP server and working servers.










    share|improve this question

























      1












      1








      1


      1






      We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?



      We are using Fedora 12 on both LDAP server and working servers.










      share|improve this question














      We have a LDAP server and lots working servers. Our user's info are in LDAP http://fclose.com/b/281/ . But sudoers list is stored in /etc/sudoers. Now the question is, how to store sudoers list in LDAP so that there is a center control of it?



      We are using Fedora 12 on both LDAP server and working servers.







      ldap sudoers






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 6 '10 at 17:36









      ericzmaericzma

      5181512




      5181512






















          3 Answers
          3






          active

          oldest

          votes


















          3














          Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.




          1. Make sure sudo is built with LDAP support.

          2. Update the LDAP schema.

          3. Import sudoers file into LDAP.

          4. Configure the sudoers service in nsswitch.conf.






          share|improve this answer
























          • Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

            – Saqib Ali
            Oct 5 '16 at 19:57











          • README.LDAP link is dead, so as sudoers.ldap link.

            – Dimitri Kopriwa
            Sep 8 '18 at 0:26





















          2














          Add sudo entry like below



          dn: ou=sudoers,ou=people,dc=example,dc=com
          ou: sudoers
          objectClass: top
          objectClass: organizationalUnit

          dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
          objectClass: top
          objectClass: sudoRole
          cn: sudogroup
          sudoUser: thomas
          sudoHost: ALL
          sudoRunAs: ALL
          sudoCommand: ALL


          Add sudoers_base in ldap.conf for client.



          sudoers_base ou=sudoers,ou=people,dc=example,dc=com


          & Edit /etc/nsswitch.conf like below



          sudoers : files ldap





          share|improve this answer


























          • Do you have any reference we can rely on to understand that configuration?

            – Dimitri Kopriwa
            Sep 7 '18 at 20:05



















          0














          These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.




          1. Make sure sudo is built with LDAP support. (see README.LDAP or this)

          2. Add the sudo schema to the LDAP server by editing slapd.conf to add include /etc/openldap/schema/sudo.schema. Note that this file must be copied from /usr/share/doc/sudo/schema.OpenLDAP (see README.LDAP).

          3. Per README.LDAP, direct the LDAP server to index the attribute sudoUser by adding the line index sudoUser eq to slapd.conf, and restart the LDAP server.


          4. Add the ou=SUDOers container to the database. This can be done by passing in the following via ldapadd:



            dn: ou=SUDOers,dc=example,dc=com
            objectClass: top
            objectClass: organizationalUnit
            ou: SUDOers



          5. Convert the existing sudoers file to LDIF format with cvtsudoers add it to the database with ldapadd (see README.LDAP). The configuration could, of course, be generated from scratch instead.


          6. Creat (or edit) ldap.conf (/etc/openldap/ldap.conf on Arch) on the client to add sudoers_base ou=SUDOers,dc=example,dc=com to make sudo LDAP-aware (see sudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice.

          7. Edit sudoers service in nsswitch.conf to be sudoers: files ldap, or to sudoers: files sss if caching with SSSD (see sudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemd sssd-sudo.socket must be enabled (see manual page for SSSD-SUDO))






          share|improve this answer
























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f219077%2fhow-to-use-ldap-to-store-sudoer-information%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.




            1. Make sure sudo is built with LDAP support.

            2. Update the LDAP schema.

            3. Import sudoers file into LDAP.

            4. Configure the sudoers service in nsswitch.conf.






            share|improve this answer
























            • Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

              – Saqib Ali
              Oct 5 '16 at 19:57











            • README.LDAP link is dead, so as sudoers.ldap link.

              – Dimitri Kopriwa
              Sep 8 '18 at 0:26


















            3














            Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.




            1. Make sure sudo is built with LDAP support.

            2. Update the LDAP schema.

            3. Import sudoers file into LDAP.

            4. Configure the sudoers service in nsswitch.conf.






            share|improve this answer
























            • Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

              – Saqib Ali
              Oct 5 '16 at 19:57











            • README.LDAP link is dead, so as sudoers.ldap link.

              – Dimitri Kopriwa
              Sep 8 '18 at 0:26
















            3












            3








            3







            Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.




            1. Make sure sudo is built with LDAP support.

            2. Update the LDAP schema.

            3. Import sudoers file into LDAP.

            4. Configure the sudoers service in nsswitch.conf.






            share|improve this answer













            Follow the official instructions from README.LDAP, and the sudoers.ldap manual page.




            1. Make sure sudo is built with LDAP support.

            2. Update the LDAP schema.

            3. Import sudoers file into LDAP.

            4. Configure the sudoers service in nsswitch.conf.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 6 '10 at 20:33









            grawitygrawity

            242k37511568




            242k37511568













            • Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

              – Saqib Ali
              Oct 5 '16 at 19:57











            • README.LDAP link is dead, so as sudoers.ldap link.

              – Dimitri Kopriwa
              Sep 8 '18 at 0:26





















            • Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

              – Saqib Ali
              Oct 5 '16 at 19:57











            • README.LDAP link is dead, so as sudoers.ldap link.

              – Dimitri Kopriwa
              Sep 8 '18 at 0:26



















            Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

            – Saqib Ali
            Oct 5 '16 at 19:57





            Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

            – Saqib Ali
            Oct 5 '16 at 19:57













            README.LDAP link is dead, so as sudoers.ldap link.

            – Dimitri Kopriwa
            Sep 8 '18 at 0:26







            README.LDAP link is dead, so as sudoers.ldap link.

            – Dimitri Kopriwa
            Sep 8 '18 at 0:26















            2














            Add sudo entry like below



            dn: ou=sudoers,ou=people,dc=example,dc=com
            ou: sudoers
            objectClass: top
            objectClass: organizationalUnit

            dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
            objectClass: top
            objectClass: sudoRole
            cn: sudogroup
            sudoUser: thomas
            sudoHost: ALL
            sudoRunAs: ALL
            sudoCommand: ALL


            Add sudoers_base in ldap.conf for client.



            sudoers_base ou=sudoers,ou=people,dc=example,dc=com


            & Edit /etc/nsswitch.conf like below



            sudoers : files ldap





            share|improve this answer


























            • Do you have any reference we can rely on to understand that configuration?

              – Dimitri Kopriwa
              Sep 7 '18 at 20:05
















            2














            Add sudo entry like below



            dn: ou=sudoers,ou=people,dc=example,dc=com
            ou: sudoers
            objectClass: top
            objectClass: organizationalUnit

            dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
            objectClass: top
            objectClass: sudoRole
            cn: sudogroup
            sudoUser: thomas
            sudoHost: ALL
            sudoRunAs: ALL
            sudoCommand: ALL


            Add sudoers_base in ldap.conf for client.



            sudoers_base ou=sudoers,ou=people,dc=example,dc=com


            & Edit /etc/nsswitch.conf like below



            sudoers : files ldap





            share|improve this answer


























            • Do you have any reference we can rely on to understand that configuration?

              – Dimitri Kopriwa
              Sep 7 '18 at 20:05














            2












            2








            2







            Add sudo entry like below



            dn: ou=sudoers,ou=people,dc=example,dc=com
            ou: sudoers
            objectClass: top
            objectClass: organizationalUnit

            dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
            objectClass: top
            objectClass: sudoRole
            cn: sudogroup
            sudoUser: thomas
            sudoHost: ALL
            sudoRunAs: ALL
            sudoCommand: ALL


            Add sudoers_base in ldap.conf for client.



            sudoers_base ou=sudoers,ou=people,dc=example,dc=com


            & Edit /etc/nsswitch.conf like below



            sudoers : files ldap





            share|improve this answer















            Add sudo entry like below



            dn: ou=sudoers,ou=people,dc=example,dc=com
            ou: sudoers
            objectClass: top
            objectClass: organizationalUnit

            dn: cn=sudogroup,ou=sudoers,ou=people,dc=example,dc=com
            objectClass: top
            objectClass: sudoRole
            cn: sudogroup
            sudoUser: thomas
            sudoHost: ALL
            sudoRunAs: ALL
            sudoCommand: ALL


            Add sudoers_base in ldap.conf for client.



            sudoers_base ou=sudoers,ou=people,dc=example,dc=com


            & Edit /etc/nsswitch.conf like below



            sudoers : files ldap






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 7 '12 at 18:58

























            answered Jan 17 '12 at 2:07









            atolaniatolani

            1743




            1743













            • Do you have any reference we can rely on to understand that configuration?

              – Dimitri Kopriwa
              Sep 7 '18 at 20:05



















            • Do you have any reference we can rely on to understand that configuration?

              – Dimitri Kopriwa
              Sep 7 '18 at 20:05

















            Do you have any reference we can rely on to understand that configuration?

            – Dimitri Kopriwa
            Sep 7 '18 at 20:05





            Do you have any reference we can rely on to understand that configuration?

            – Dimitri Kopriwa
            Sep 7 '18 at 20:05











            0














            These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.




            1. Make sure sudo is built with LDAP support. (see README.LDAP or this)

            2. Add the sudo schema to the LDAP server by editing slapd.conf to add include /etc/openldap/schema/sudo.schema. Note that this file must be copied from /usr/share/doc/sudo/schema.OpenLDAP (see README.LDAP).

            3. Per README.LDAP, direct the LDAP server to index the attribute sudoUser by adding the line index sudoUser eq to slapd.conf, and restart the LDAP server.


            4. Add the ou=SUDOers container to the database. This can be done by passing in the following via ldapadd:



              dn: ou=SUDOers,dc=example,dc=com
              objectClass: top
              objectClass: organizationalUnit
              ou: SUDOers



            5. Convert the existing sudoers file to LDIF format with cvtsudoers add it to the database with ldapadd (see README.LDAP). The configuration could, of course, be generated from scratch instead.


            6. Creat (or edit) ldap.conf (/etc/openldap/ldap.conf on Arch) on the client to add sudoers_base ou=SUDOers,dc=example,dc=com to make sudo LDAP-aware (see sudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice.

            7. Edit sudoers service in nsswitch.conf to be sudoers: files ldap, or to sudoers: files sss if caching with SSSD (see sudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemd sssd-sudo.socket must be enabled (see manual page for SSSD-SUDO))






            share|improve this answer




























              0














              These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.




              1. Make sure sudo is built with LDAP support. (see README.LDAP or this)

              2. Add the sudo schema to the LDAP server by editing slapd.conf to add include /etc/openldap/schema/sudo.schema. Note that this file must be copied from /usr/share/doc/sudo/schema.OpenLDAP (see README.LDAP).

              3. Per README.LDAP, direct the LDAP server to index the attribute sudoUser by adding the line index sudoUser eq to slapd.conf, and restart the LDAP server.


              4. Add the ou=SUDOers container to the database. This can be done by passing in the following via ldapadd:



                dn: ou=SUDOers,dc=example,dc=com
                objectClass: top
                objectClass: organizationalUnit
                ou: SUDOers



              5. Convert the existing sudoers file to LDIF format with cvtsudoers add it to the database with ldapadd (see README.LDAP). The configuration could, of course, be generated from scratch instead.


              6. Creat (or edit) ldap.conf (/etc/openldap/ldap.conf on Arch) on the client to add sudoers_base ou=SUDOers,dc=example,dc=com to make sudo LDAP-aware (see sudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice.

              7. Edit sudoers service in nsswitch.conf to be sudoers: files ldap, or to sudoers: files sss if caching with SSSD (see sudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemd sssd-sudo.socket must be enabled (see manual page for SSSD-SUDO))






              share|improve this answer


























                0












                0








                0







                These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.




                1. Make sure sudo is built with LDAP support. (see README.LDAP or this)

                2. Add the sudo schema to the LDAP server by editing slapd.conf to add include /etc/openldap/schema/sudo.schema. Note that this file must be copied from /usr/share/doc/sudo/schema.OpenLDAP (see README.LDAP).

                3. Per README.LDAP, direct the LDAP server to index the attribute sudoUser by adding the line index sudoUser eq to slapd.conf, and restart the LDAP server.


                4. Add the ou=SUDOers container to the database. This can be done by passing in the following via ldapadd:



                  dn: ou=SUDOers,dc=example,dc=com
                  objectClass: top
                  objectClass: organizationalUnit
                  ou: SUDOers



                5. Convert the existing sudoers file to LDIF format with cvtsudoers add it to the database with ldapadd (see README.LDAP). The configuration could, of course, be generated from scratch instead.


                6. Creat (or edit) ldap.conf (/etc/openldap/ldap.conf on Arch) on the client to add sudoers_base ou=SUDOers,dc=example,dc=com to make sudo LDAP-aware (see sudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice.

                7. Edit sudoers service in nsswitch.conf to be sudoers: files ldap, or to sudoers: files sss if caching with SSSD (see sudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemd sssd-sudo.socket must be enabled (see manual page for SSSD-SUDO))






                share|improve this answer













                These instructions assume you're using OpenLDAP. Some details may be specific to Arch Linux.




                1. Make sure sudo is built with LDAP support. (see README.LDAP or this)

                2. Add the sudo schema to the LDAP server by editing slapd.conf to add include /etc/openldap/schema/sudo.schema. Note that this file must be copied from /usr/share/doc/sudo/schema.OpenLDAP (see README.LDAP).

                3. Per README.LDAP, direct the LDAP server to index the attribute sudoUser by adding the line index sudoUser eq to slapd.conf, and restart the LDAP server.


                4. Add the ou=SUDOers container to the database. This can be done by passing in the following via ldapadd:



                  dn: ou=SUDOers,dc=example,dc=com
                  objectClass: top
                  objectClass: organizationalUnit
                  ou: SUDOers



                5. Convert the existing sudoers file to LDIF format with cvtsudoers add it to the database with ldapadd (see README.LDAP). The configuration could, of course, be generated from scratch instead.


                6. Creat (or edit) ldap.conf (/etc/openldap/ldap.conf on Arch) on the client to add sudoers_base ou=SUDOers,dc=example,dc=com to make sudo LDAP-aware (see sudoers.ldap). Depending on your LDAP configuration, it may be necessary to set various LDAP options as well; sudo's syntax for setting options may be different than your LDAP implementation, so the same information may need to be provided twice.

                7. Edit sudoers service in nsswitch.conf to be sudoers: files ldap, or to sudoers: files sss if caching with SSSD (see sudoers.ldap manual). If caching w/ SSSD, the necessary entries will need to be added to sssd.conf (and on systems running systemd sssd-sudo.socket must be enabled (see manual page for SSSD-SUDO))







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Feb 3 at 0:22









                eponymouseponymous

                284




                284






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f219077%2fhow-to-use-ldap-to-store-sudoer-information%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Сан-Квентин

                    8-я гвардейская общевойсковая армия

                    Алькесар