SUDOers from OpenLDAP

Root control

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

    1. Introduction
    2. Prepare your LDAP server
    3. Convert your current sudoers file
      1. Example and options
    4. Make sudo use LDAP
    5. Test
    6. Additional information

Introduction

To get LDAP support for sudo first make sure your sudo supports LDAP. A simple test is to run:

strings `which sudo` | grep ldap

From the output one can read if sudo supports LDAP and what the configuration file is. We suggest using one single /etc/ldap.conf file, and symlink the found configuration name to this file.

If your installed sudo version does not provide LDAP support see if there is a package called sudo-ldap.

The remainder of this document will use /etc/ldap.conf for the SUDOers LDAP configuration file and sudoers for the package name that provides sudo with LDAP support.

Prepare your LDAP server

Add to ou=apps an ou=SUDOers.

dn: ou=SUDOers,ou=apps,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
description: SUDOers container

Add the sudoers.schema file to the schema directory of OpenLDAP. The file can be found in the documentation directory of sudoers (/usr/share/doc/sudoers). Include the file in your slapd.conf and add an indexing line like this:

index	sudoUser	eq
Stop the server, recreate the indexes and start the server again.

Convert your current sudoers file

The sudoers package contains a perl-script called sudoers2ldif, this script is provided in the /usr/share/doc/sudoers/ directory.

Set the sudoers base environment variable:

SUDOERS_BASE="ou=SUDOers,ou=services,dc=example,dc=com"
export SUDOERS_BASE

Make the script executable and run:

/usr/share/doc/sudoers/sudoers2ldif /etc/sudoers > /root/sudoers.ldif

The created file can be directly imported into your LDAP-tree.

Example and options

dn: cn=lighttpd_ban-ip_show,ou=SUDOers,ou=app,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: lighttpd_ban-ip_show
description: sudo rule to give lighttpd access to ban-ip.sh
sudoUser: lighttpd
sudoRunAsUser: root
sudoOption: !authenticate
sudoHost: ban-ip.example.com
sudoCommand: /var/www/lighttpd/sbin/ban-ip.sh show

The !authenticate option acts the same as NOPASSWD from the sudoers file. Other options:

NOPASSWD:     !authenticate
PASSWD:       authenticate
NOEXEC:       noexec
EXEC:         !noexec
SETENV:       setenv
NOSETENV:     !setenv
LOG_INPUT:    log_input
NOLOG_INPUT:  !log_input
LOG_OUTPUT:   log_output
NOLOG_OUTPUT: !log_output

sudoOption: !requiretty
sudoOption: !root_sudo
sudoOption: !set_logname
sudoOption: syslog=local2
sudoOption: runas_default=adm
sudoOption: ignore_local_sudoers
sudoOption: always_set_home
sudoOption: passprompt=Your password:
sudoOption: mail_no_perms
sudoOption: mail_no_host
sudoOption: mail_no_user
sudoOption: mailto=root at domain.com
sudoOption: env_reset
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS
XDG_SESSION_COOKIE"
sudoOption: targetpw

Make sudo use LDAP

On your servers, and other clients, add to the existing /etc/ldap.conf (if you are on a Red Hat based system create symlink from /etc/ldap.conf to /etc/sudo-ldap.conf):

SUDOERS_BASE ou=SUDOers,ou=apps,dc=example,dc=com
# SUDOERS_SEARCH_FILTER
SUDOERS_TIMED no
SUDOERS_DEBUG 0
Adjust to your liking.

Now we need to tell sudo to actually use LDAP by changing /etc/nsswitch.conf. We need to add or change the line for sudoers to read like this:

sudoers: ldap files

Test

Move your /etc/sudoers file out of the way and test if everthing still works.

Additional information

For more information see: