[389-users] /etc/sudoers VS sudo-objects in directory server

[Doug Chapman]

Not to digress too much off topic here, but I'm not sure about your comment
on using groups- we've organized privileges into entry's like this:

cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com
sudoHost: sasapp*.prod.foo.com
objectClass: sudoRole
objectClass: top
sudoCommand: /bin/su sas
sudoCommand: /bin/su - sas
sudoUser: %reporting
sudoUser: %datawarehouse
cn: reporting_admin_on_sas

Note that you can have N number of sudoCommand|sudoUser entry's, so you can
organize this CN around what the people in these groups need todo on this
box.

One of my co-workers wrote a script that exports the sudo entries in the
directory to /etc/sudoers to handle the case of legacy machines that are too
old or broken to have native sudo ldap lookups (of course they still need to
be able to lookup uid's/gid's in the directory for this to work).


On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross <across at itasoftware.com> wrote:

> We're going to go with sudoers in ldap, not because I think it's better,
> but because it's somewhat more secure.  I think the layout of how it's
> managed in ldap is much inferior (having to declare each group multiple
> times, and not being able to apply privileges to a *group*, is stupid) but
> it is at least someplace where I know the clever people can't get easy
> access to it, and if the sudoers file gets modified, I can have tripwire
> scream.
>
> -- juniper
>
> ----- Original Message -----
> From: "Kenneth Holter" <kenneho.ndu at gmail.com>
> To: fedora-directory-users at redhat.com
> Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern
> Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
>
>
>
> Hi.
>
>
> We're working on setting up Red Hat Directory Server (RHDS), and need to
> make a decision about wether sudo information should be defined as
> sudo-objects in the directory server, or if we should stick to /etc/sudoers.
> I've played around with sudo-objects in the directory server, and got it
> working. But the way I see it, maintaining sudo information in /etc/sudoers
> is much easier than to maintain it in a directory server. In the latter
> case, I'd either have to use the GUI, or write scripts/ldif files to make
> necessary changes to the sudo setup, and they both seem less intuitive than
> to simply edit the /etc/sudoers file.
>
> I'd very much like to hear from others on their thoughts on wether to
> maintain sudo information in /etc/sudoers or in the directory server, so
> please feel free to post a reply.
>
>
> Best regards,
> Kenneth Holter
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091230/214bd59b/attachment.htm>