[Fedora-directory-users] Sudo and Ldap
Jonathan Barber
j.barber at dundee.ac.uk
Wed Sep 10 08:53:35 UTC 2008
On Tue, Sep 09, 2008 at 10:42:06PM +0100, Kashif Ali wrote:
> i believe in centos 5.x and redhat they have ldap suppor built in:
>
> http://kbase.redhat.com/faq/FAQ_80_12975.shtm
>
> I am not sure how to include ldif file in the directory server, and also
> once its included how to manage the sudoers?
>
> let me give you some more background on the environmnt:
>
> we have the following environments:
>
> Production
> Staging
> Test
> Load Testing
> Development
>
> Each of the environments have various number of servers ranging from 30 and
> goign upto 150+.
>
> we have three main categories of users
>
> Linuxops = Linux Sys admins
> SuperUsers = Developers who have sudo rights (ALL) on dev/load test
> environments, but only for less, cat, more, command for
> Test/Staging/Production environments (this is mainly for log and config file
> viewing).
> Dev = Developers who have full sudo rights on development and only access
> development environment
>
>
> I am restricting access to each environemnt via SSHD_CONFIG variable allow
> groups. I have the following groups
>
> linuxops
> prodlogs
> staginglog
> testlogs
> ltlogs
> dev
>
> What I would need is to someone configure ldap with sudo, so that if you
> were in the correct groups you can login to which ever environment and have
> the correct privilages.
>
> The problem I Will have is with superusers. They would be members of the dev
> group (so have all rights on dev env) but then I would be added to prodlogs
> etc... so they have restricted sudo on prod. However since there would only
> be one sudo file in ldap, sshd would let them logon to production server via
> prodlogs group, and sudo would find the dev group and give them full
> rights!!!!
sudo has the Host_Alias feature to restrict command aliases to
particular hosts, which I think would achieve your aims.
See the EXAMPLES section of the sudoers(5) man page.
There's a sudoers2ldif utility provided with the sudo distribution, it's
well worth developing your sudoer's file with visudo for its syntax
checking before converting to ldif with the sudoers2ldif utility.
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
More information about the Fedora-directory-users
mailing list