[Fedora-directory-users] Sudo and Ldap

Jonathan Barber j.barber at dundee.ac.uk
Wed Sep 10 08:53:35 UTC 2008 

On Tue, Sep 09, 2008 at 10:42:06PM +0100, Kashif Ali wrote:
> i believe in centos 5.x and redhat they have ldap suppor built in:
> 
> http://kbase.redhat.com/faq/FAQ_80_12975.shtm
> 
> I am not sure how to include ldif file in the directory server, and also
> once its included how to manage the sudoers?
> 
> let me give you some more background on the environmnt:
> 
> we have the following environments:
> 
> Production
> Staging
> Test
> Load Testing
> Development
> 
> Each of the environments have various number of servers ranging from 30 and
> goign upto 150+.
> 
> we have three main categories of users
> 
> Linuxops = Linux Sys admins
> SuperUsers = Developers who have sudo rights (ALL) on dev/load test
> environments, but only for less, cat, more, command for
> Test/Staging/Production environments (this is mainly for log and config file
> viewing).
> Dev = Developers who have full sudo rights on development and only access
> development environment
> 
> 
> I am restricting access to each environemnt via SSHD_CONFIG variable allow
> groups. I have the following groups
> 
> linuxops
> prodlogs
> staginglog
> testlogs
> ltlogs
> dev
> 
> What I would need is to someone configure ldap with sudo, so that if you
> were in the correct groups you can login to which ever environment and have
> the correct privilages.
> 
> The problem I Will have is with superusers. They would be members of the dev
> group (so have all rights on dev env) but then I would be added to prodlogs
> etc... so they have restricted sudo on prod. However since there would only
> be one sudo file in ldap, sshd would let them logon to production server via
> prodlogs group, and sudo would find the dev group and give them full
> rights!!!!

sudo has the Host_Alias feature to restrict command aliases to
particular hosts, which I think would achieve your aims. 

See the EXAMPLES section of the sudoers(5) man page.

There's a sudoers2ldif utility provided with the sudo distribution, it's
well worth developing your sudoer's file with visudo for its syntax
checking before converting to ldif with the sudoers2ldif utility.
-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

More information about the Fedora-directory-users mailing list