[389-users] /etc/sudoers VS sudo-objects in directory server

Anne Cross across at itasoftware.com
Thu Dec 31 16:31:53 UTC 2009 

As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.)  Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.

-- juniper

----- Original Message -----
From: "Doug Chapman" <prjctgeek at gmail.com>
To: "General discussion list for the 389 Directory server project." <fedora-directory-users at redhat.com>
Sent: Wednesday, December 30, 2009 6:48:16 PM GMT -05:00 US/Canada Eastern
Subject: Re: [389-users] /etc/sudoers VS sudo-objects in directory server




Not to digress too much off topic here, but I'm not sure about your comment on using groups- we've organized privileges into entry's like this: 




cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com 
sudoHost: sasapp*. prod.foo.com 
objectClass: sudoRole 
objectClass: top 
sudoCommand: /bin/su sas 
sudoCommand: /bin/su - sas 
sudoUser: %reporting 
sudoUser: %datawarehouse 
cn: reporting_admin_on_sas 


Note that you can have N number of sudoCommand|sudoUser entry's, so you can organize this CN around what the people in these groups need todo on this box. 


One of my co-workers wrote a script that exports the sudo entries in the directory to /etc/sudoers to handle the case of legacy machines that are too old or broken to have native sudo ldap lookups (of course they still need to be able to lookup uid's/gid's in the directory for this to work). 




On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross < across at itasoftware.com > wrote: 


We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream. 

-- juniper 




----- Original Message ----- 
From: "Kenneth Holter" < kenneho.ndu at gmail.com > 
To: fedora-directory-users at redhat.com 
Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern 
Subject: [389-users] /etc/sudoers VS sudo-objects in directory server 



Hi. 


We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file. 

I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply. 


Best regards, 
Kenneth Holter 
-- 
389 users mailing list 
389-users at redhat.com 
https://www.redhat.com/mailman/listinfo/fedora-directory-users 

--
389 users mailing list
389-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list