[Fedora-directory-users] Sudo and Ldap

Tue Sep 9 21:42:06 UTC 2008

i believe in centos 5.x and redhat they have ldap suppor built in:

http://kbase.redhat.com/faq/FAQ_80_12975.shtm

I am not sure how to include ldif file in the directory server, and also
once its included how to manage the sudoers?

let me give you some more background on the environmnt:

we have the following environments:

Production
Staging
Test
Load Testing
Development

Each of the environments have various number of servers ranging from 30 and
goign upto 150+.

we have three main categories of users

Linuxops = Linux Sys admins
SuperUsers = Developers who have sudo rights (ALL) on dev/load test
environments, but only for less, cat, more, command for
Test/Staging/Production environments (this is mainly for log and config file
viewing).
Dev = Developers who have full sudo rights on development and only access
development environment

I am restricting access to each environemnt via SSHD_CONFIG variable allow
groups. I have the following groups

linuxops
prodlogs
staginglog
testlogs
ltlogs
dev

What I would need is to someone configure ldap with sudo, so that if you
were in the correct groups you can login to which ever environment and have
the correct privilages.

The problem I Will have is with superusers. They would be members of the dev
group (so have all rights on dev env) but then I would be added to prodlogs
etc... so they have restricted sudo on prod. However since there would only
be one sudo file in ldap, sshd would let them logon to production server via
prodlogs group, and sudo would find the dev group and give them full
rights!!!!

I would appreciate any advice in configuring this setup, currently I have
written a wiki to cover the installation of Centos/fedora DS  and configure
it for central authentication with Shared home directories, this would be
the final icing on the cake if I could get it working:

Please have a look at the following link to get the idea of what I have done
to get ldap up and running:

http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server

What I really need help is would sudo under ldap in the above scenario. I
hope I have given enough information, if you require more information please
just say I will provide ASAP.

Regards

Kashif

2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com>

> This is how I've always done it:
>
> I usually just pull the src.rpm and add ldap in the .spec file,
> recompile then I can add it to standard build image / kickstart
>
> Then add something like:
> sudoers_base   ou=SUDOers,dc=example,dc=com
>
> to /etc/ldap.conf and that should be it
>
>
> Cheers,
>
> Malcolm
>
> On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote:
> > when you say add sudo base? are you talking about ldif file?
> >
> > Is there no way to continue to use the original ldif file?
> >
> >
> > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com>
> >         Redhat sudo doesn't support ldap, recompile it with ldap
> >         support and add
> >         the sudoers base to /etc/ldap.conf and it should work then,
> >         annoying!
> >
> >         Cheers
> >
> >         Malcolm
> >
> >
> >         On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:
> >         > Hello all,
> >         >
> >         > I have successfully setup FDS on Centos 5.2, and manage to
> >         get users
> >         > signing on without any issues. However if I edit the sudoers
> >         file to
> >         > allow a group on ldap use sudo, the sudo command does not
> >         see the
> >         > members of the group or I think the group itself?
> >         >
> >         > I have no idea why this is:
> >         >
> >         > if I run the command 'id' as the given user you can clear
> >         see the
> >         > group memberships, however if I do: getent group linuxops I
> >         see:
> >         >
> >         > linuxops:*:6000:
> >         >
> >         > with no members??? however SSHD AllowGroups works? I have
> >         configured
> >         > sshd to only allow members of the linxops group to login and
> >         this
> >         > works fine? so my question is why is sudo behaving
> >         differently?
> >         >
> >
> >         > --
> >         > Fedora-directory-users mailing list
> >         > Fedora-directory-users at redhat.com
> >         >
> >         https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >         --
> >         Fedora-directory-users mailing list
> >         Fedora-directory-users at redhat.com
> >         https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080909/3f8e720f/attachment.htm>