User Tools
Sidebar
snippets:linux_quickshotsetups:ldap_auth_server_sudo
Table of Contents
serverpart: OpenLDAP on RHEL6
# server
cp /usr/share/doc/sudo-*/schema.OpenLDAP /etc/openldap/schema/sudo.schema
### old, if /etc/openldap/slapd.conf exists
cd /etc/openldap
vi slapd.conf
# a) make sure sudo schema is contained
# b) index sudoUser eq
service slapd stop
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
### new config style
# adding schema new style: https://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2-4-11-a-700452/
cat >/tmp/schema_convert.conf<<EOT
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/sudo.schema
EOT
mkdir /tmp/ldif_output
slaptest -f schema_convert.conf -F /tmp/ldif_output
service slapd stop
cp /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}sudo.ldif /etc/openldap/slapd.d/cn\=config/cn\=schema
vi /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{12\}sudo.ldif
# remove all lines after 'structuralObjectClass: olcSchemaConfig' and this line itself
chown ldap:ldap /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{12\}sudo.ldif
service slapd start
### from here the instructions for both ways are similiar again
chown -R ldap:ldap /etc/openldap/slapd.d
chmod -R 000 /etc/openldap/slapd.d
chmod -R u+rwX /etc/openldap/slapd.d
cat >/etc/openldap/initial_sudo.ldif<<EOT
dn: ou=SUDOers,dc=fluxcoil,dc=net
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
EOT
ldapadd -x -D cn=manager,dc=fluxcoil,dc=net -w redhat -f /etc/openldap/initial_sudo.ldif
cd
cp /usr/share/doc/sudo-*/sudoers2ldif .
chmod +x sudoers2ldif
export SUDOERS_BASE=ou=SUDOers,dc=fluxcoil,dc=net
./sudoers2ldif /etc/sudoers > /etc/openldap/sudoers.ldif
ldapadd -x -D cn=manager,dc=fluxcoil,dc=net -w redhat -f /etc/openldap/sudoers.ldif
serverpart: Red Hat Directory Server
Alternatively to OpenLDAP, 389 or RHDS can be used. RHDS9 already contains the sudo-ldap schema.
rhel6 on client, sudo/ldap directly
cat >/etc/nss_ldap.conf<<EOT sudoers_base ou=SUDOers,dc=fluxcoil,dc=net base dc=fluxcoil,dc=net timelimit 120 bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm uri ldap://rhel6b.site/ ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password md5 # sudoers_debug 2 EOT echo 'sudoers: files ldap' >>/etc/nsswitch.conf sudo -l -U user1 # should now show the sudo map from ldap
sudo/ldap and netgroup example objects
# sudo objects # SUDOers, fluxcoil.net dn: ou=SUDOers,dc=fluxcoil,dc=net objectClass: top objectClass: organizationalUnit ou: SUDOers # root, SUDOers, fluxcoil.net dn: cn=root,ou=SUDOers,dc=fluxcoil,dc=net objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOrder: 2 # user1, SUDOers, fluxcoil.net dn: cn=user1,ou=SUDOers,dc=fluxcoil,dc=net objectClass: top objectClass: sudoRole cn: user1 sudoUser: user1 sudoHost: ALL sudoRunAsUser: ALL sudoCommand: /bin/ls sudoOption: !authenticate sudoOrder: 3 # defaults, SUDOers, fluxcoil.net dn: cn=defaults,ou=SUDOers,dc=fluxcoil,dc=net objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: requiretty sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoOrder: 1 # rule0, SUDOers, fluxcoil.net dn: cn=rule0,ou=SUDOers,dc=fluxcoil,dc=net cn: rule0 objectClass: sudoRole objectClass: top sudoUser: +netgr0 sudoHost: ALL sudoCommand: /sbin/service httpd restart # Netgroup, fluxcoil.net dn: ou=Netgroup,dc=fluxcoil,dc=net objectClass: top objectClass: organizationalUnit ou: Netgroup # netgr0, Netgroup, fluxcoil.net dn: cn=netgr0,ou=Netgroup,dc=fluxcoil,dc=net objectClass: nisNetgroup objectClass: top cn: netgr0 nisNetgroupTriple: (,user0,) # users, fluxcoil.net dn: ou=users,dc=fluxcoil,dc=net objectClass: organizationalUnit objectClass: top ou: users # user0, users, fluxcoil.net dn: cn=user0,ou=users,dc=fluxcoil,dc=net objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top cn: user0 givenName: Christian sn: Horn mail: chorm@domain.net preferredLanguage: en telephoneNumber: +123 345 l: muc departmentNumber: X labs uid: user0 uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/user0 loginShell: /bin/bash # user1, users, fluxcoil.net dn: cn=user1,ou=users,dc=fluxcoil,dc=net objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top cn: user1 givenName: Christian sn: Horn mail: chorm@domain.net preferredLanguage: en telephoneNumber: +123 345 l: muc departmentNumber: X labs uid: user1 uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/user1 loginShell: /bin/bash # Groups, fluxcoil.net dn: ou=Groups,dc=fluxcoil,dc=net objectClass: top objectClass: organizationalunit ou: Groups # group0, Groups, fluxcoil.net dn: cn=group0,ou=Groups,dc=fluxcoil,dc=net objectClass: posixGroup objectClass: top cn: group0 gidNumber: 1000 # group1, Groups, fluxcoil.net dn: cn=group1,ou=Groups,dc=fluxcoil,dc=net objectClass: posixGroup objectClass: top cn: group1 gidNumber: 1001
snippets/linux_quickshotsetups/ldap_auth_server_sudo.txt ยท Last modified: 2024/03/04 23:56 by chris
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
