Root control
© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
To get LDAP support for sudo first make sure your sudo supports LDAP. A simple test is to run:
strings `which sudo` | grep ldap
From the output one can read if sudo supports LDAP and what the configuration file is. We suggest using one single /etc/ldap.conf file, and symlink the found configuration name to this file.
If your installed sudo version does not provide LDAP support see if there is a package called sudo-ldap.
The remainder of this document will use /etc/ldap.conf for the SUDOers LDAP configuration file and sudoers for the package name that provides sudo with LDAP support.
Add to ou=apps an ou=SUDOers.
dn: ou=SUDOers,ou=apps,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers description: SUDOers container
Add the sudoers.schema file to the schema directory of OpenLDAP. The file can be found in the documentation directory of sudoers (/usr/share/doc/sudoers). Include the file in your slapd.conf and add an indexing line like this:
index sudoUser eqStop the server, recreate the indexes and start the server again.
The sudoers package contains a perl-script called sudoers2ldif, this script is provided in the /usr/share/doc/sudoers/ directory.
Set the sudoers base environment variable:
SUDOERS_BASE="ou=SUDOers,ou=services,dc=example,dc=com" export SUDOERS_BASE
Make the script executable and run:
/usr/share/doc/sudoers/sudoers2ldif /etc/sudoers > /root/sudoers.ldif
The created file can be directly imported into your LDAP-tree.
dn: cn=lighttpd_ban-ip_show,ou=SUDOers,ou=app,dc=example,dc=com objectClass: top objectClass: sudoRole cn: lighttpd_ban-ip_show description: sudo rule to give lighttpd access to ban-ip.sh sudoUser: lighttpd sudoRunAsUser: root sudoOption: !authenticate sudoHost: ban-ip.example.com sudoCommand: /var/www/lighttpd/sbin/ban-ip.sh show
The !authenticate option acts the same as NOPASSWD from the sudoers file. Other options:
NOPASSWD: !authenticate PASSWD: authenticate NOEXEC: noexec EXEC: !noexec SETENV: setenv NOSETENV: !setenv LOG_INPUT: log_input NOLOG_INPUT: !log_input LOG_OUTPUT: log_output NOLOG_OUTPUT: !log_output sudoOption: !requiretty sudoOption: !root_sudo sudoOption: !set_logname sudoOption: syslog=local2 sudoOption: runas_default=adm sudoOption: ignore_local_sudoers sudoOption: always_set_home sudoOption: passprompt=Your password: sudoOption: mail_no_perms sudoOption: mail_no_host sudoOption: mail_no_user sudoOption: mailto=root at domain.com sudoOption: env_reset sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" sudoOption: targetpw
On your servers, and other clients, add to the existing /etc/ldap.conf (if you are on a Red Hat based system create symlink from /etc/ldap.conf to /etc/sudo-ldap.conf):
SUDOERS_BASE ou=SUDOers,ou=apps,dc=example,dc=com # SUDOERS_SEARCH_FILTER SUDOERS_TIMED no SUDOERS_DEBUG 0Adjust to your liking.
Now we need to tell sudo to actually use LDAP by changing /etc/nsswitch.conf. We need to add or change the line for sudoers to read like this:
sudoers: ldap files
Move your /etc/sudoers file out of the way and test if everthing still works.
For more information see: