Sudo in Centos Directory Server
SUDO
After spending a few hours trying to sudoers file to work with ldap (Sudoers files doesnt seem to like ldap groups). I have now successfully moved the sudoers file into the directory server. This means you can manage you sudoers file centrally from one location.
If you have setup you directory server following my instructions on Fedora Directory Server wiki page. You just need to do the following to have suoders up and running inside you directory server.
Create a file called 76sudo.ldif (Copy and paste schema given below)
# ################################################################################ # dn: cn=schema # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) # ################################################################################ #
Place the file in:
/etc/dirsrv/slapd-(hostname)/schema/
You now need to restart the directory service (I normally restart both directory and admin console).
/etc/init.d/dirsrv restart /etc/init.d/dirsrv-admin restart
Then create
dn: ou=SUDOers,dc=unixcraft,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers
You do not need to create the above OU via ldiff file and import from the command line, you can do this via GUI, right click on your root, select new Organizational unit. All you need to do is give it the name, everything else is already there.
Now right click on your new OU (SUDOers). Select new-->other and select the object sudorole. Now click on advanced, give the role a name. Then select a value in the Object class section and click add attribute. Select (you can select several (hold crtl) at one go) sudocommand, sudouser, click ok and your done.
On the client machines you need to edit the ldap.conf. Place the following at the bottom of the config:
sudoers_base ou=SUDOers,dc=example,dc=com # # verbose sudoers matching from ldap #sudoers_debug 2
Change the sudoers_base to your base dn. Please make sure you have this entry otherwise sudo will ignore you ldap setup. You can use the debuging to see what search sudo is passing to the ldap server, this should help you resolve any issues.
Thats all that is needed to have sudo working in ldap.