[Fedora-directory-users] Sudo and Ldap

Wed Sep 10 06:17:45 UTC 2008

I have a quick work around currently, what you can do is create a local
group and add ldap user to the local group. Sudo will accept the group
including users.

sudo will also accept a list of users from ldap, it just doesnt acknowledge
members for groups in FDS?

2008/9/9 Kashif Ali <snake007uk at gmail.com>

> i believe in centos 5.x and redhat they have ldap suppor built in:
>
> http://kbase.redhat.com/faq/FAQ_80_12975.shtm
>
> I am not sure how to include ldif file in the directory server, and also
> once its included how to manage the sudoers?
>
> let me give you some more background on the environmnt:
>
> we have the following environments:
>
> Production
> Staging
> Test
> Load Testing
> Development
>
> Each of the environments have various number of servers ranging from 30 and
> goign upto 150+.
>
> we have three main categories of users
>
> Linuxops = Linux Sys admins
> SuperUsers = Developers who have sudo rights (ALL) on dev/load test
> environments, but only for less, cat, more, command for
> Test/Staging/Production environments (this is mainly for log and config file
> viewing).
> Dev = Developers who have full sudo rights on development and only access
> development environment
>
>
> I am restricting access to each environemnt via SSHD_CONFIG variable allow
> groups. I have the following groups
>
> linuxops
> prodlogs
> staginglog
> testlogs
> ltlogs
> dev
>
> What I would need is to someone configure ldap with sudo, so that if you
> were in the correct groups you can login to which ever environment and have
> the correct privilages.
>
> The problem I Will have is with superusers. They would be members of the
> dev group (so have all rights on dev env) but then I would be added to
> prodlogs etc... so they have restricted sudo on prod. However since there
> would only be one sudo file in ldap, sshd would let them logon to production
> server via prodlogs group, and sudo would find the dev group and give them
> full rights!!!!
>
> I would appreciate any advice in configuring this setup, currently I have
> written a wiki to cover the installation of Centos/fedora DS  and configure
> it for central authentication with Shared home directories, this would be
> the final icing on the cake if I could get it working:
>
> Please have a look at the following link to get the idea of what I have
> done to get ldap up and running:
>
> http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server
>
>
> What I really need help is would sudo under ldap in the above scenario. I
> hope I have given enough information, if you require more information please
> just say I will provide ASAP.
>
> Regards
>
> Kashif
>
>
>
>
> 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com>
>
>> This is how I've always done it:
>>
>> I usually just pull the src.rpm and add ldap in the .spec file,
>> recompile then I can add it to standard build image / kickstart
>>
>> Then add something like:
>> sudoers_base   ou=SUDOers,dc=example,dc=com
>>
>> to /etc/ldap.conf and that should be it
>>
>>
>> Cheers,
>>
>> Malcolm
>>
>> On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote:
>> > when you say add sudo base? are you talking about ldif file?
>> >
>> > Is there no way to continue to use the original ldif file?
>> >
>> >
>> > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com>
>> >         Redhat sudo doesn't support ldap, recompile it with ldap
>> >         support and add
>> >         the sudoers base to /etc/ldap.conf and it should work then,
>> >         annoying!
>> >
>> >         Cheers
>> >
>> >         Malcolm
>> >
>> >
>> >         On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:
>> >         > Hello all,
>> >         >
>> >         > I have successfully setup FDS on Centos 5.2, and manage to
>> >         get users
>> >         > signing on without any issues. However if I edit the sudoers
>> >         file to
>> >         > allow a group on ldap use sudo, the sudo command does not
>> >         see the
>> >         > members of the group or I think the group itself?
>> >         >
>> >         > I have no idea why this is:
>> >         >
>> >         > if I run the command 'id' as the given user you can clear
>> >         see the
>> >         > group memberships, however if I do: getent group linuxops I
>> >         see:
>> >         >
>> >         > linuxops:*:6000:
>> >         >
>> >         > with no members??? however SSHD AllowGroups works? I have
>> >         configured
>> >         > sshd to only allow members of the linxops group to login and
>> >         this
>> >         > works fine? so my question is why is sudo behaving
>> >         differently?
>> >         >
>> >
>> >         > --
>> >         > Fedora-directory-users mailing list
>> >         > Fedora-directory-users at redhat.com
>> >         >
>> >         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >
>> >         --
>> >         Fedora-directory-users mailing list
>> >         Fedora-directory-users at redhat.com
>> >         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >
>> >
>> > --
>> > Fedora-directory-users mailing list
>> > Fedora-directory-users at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080910/472a70e2/attachment.htm>