===== serverpart: OpenLDAP on RHEL6 =====
<code>
# server
cp /usr/share/doc/sudo-*/schema.OpenLDAP /etc/openldap/schema/sudo.schema

### old, if /etc/openldap/slapd.conf exists
cd /etc/openldap
vi slapd.conf
# a) make sure sudo schema is contained
# b) index       sudoUser        eq
service slapd stop
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

### new config style
# adding schema new style: https://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2-4-11-a-700452/
cat >/tmp/schema_convert.conf<<EOT
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/sudo.schema
EOT
mkdir /tmp/ldif_output
slaptest -f schema_convert.conf -F /tmp/ldif_output
service slapd stop
cp /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}sudo.ldif /etc/openldap/slapd.d/cn\=config/cn\=schema
vi /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{12\}sudo.ldif
# remove all lines after 'structuralObjectClass: olcSchemaConfig' and this line itself
chown ldap:ldap /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{12\}sudo.ldif 
service slapd start


### from here the instructions for both ways are similiar again
chown -R ldap:ldap /etc/openldap/slapd.d 
chmod -R 000 /etc/openldap/slapd.d 
chmod -R u+rwX /etc/openldap/slapd.d 

cat >/etc/openldap/initial_sudo.ldif<<EOT
dn: ou=SUDOers,dc=fluxcoil,dc=net
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
EOT
ldapadd -x -D cn=manager,dc=fluxcoil,dc=net -w redhat -f /etc/openldap/initial_sudo.ldif

cd
cp /usr/share/doc/sudo-*/sudoers2ldif .
chmod +x sudoers2ldif
export SUDOERS_BASE=ou=SUDOers,dc=fluxcoil,dc=net
./sudoers2ldif /etc/sudoers > /etc/openldap/sudoers.ldif
ldapadd -x -D cn=manager,dc=fluxcoil,dc=net -w redhat -f /etc/openldap/sudoers.ldif
</code>

===== serverpart: Red Hat Directory Server =====
Alternatively to OpenLDAP, 389 or RHDS can be used.  RHDS9 already contains the sudo-ldap schema.

===== rhel6 on client, sudo/ldap directly =====
<code>
cat >/etc/nss_ldap.conf<<EOT
sudoers_base ou=SUDOers,dc=fluxcoil,dc=net
base dc=fluxcoil,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://rhel6b.site/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
# sudoers_debug 2
EOT
echo 'sudoers: files ldap' >>/etc/nsswitch.conf

sudo -l -U user1
# should now show the sudo map from ldap
</code>

===== sudo/ldap and netgroup example objects =====
<code>
# sudo objects
# SUDOers, fluxcoil.net
dn: ou=SUDOers,dc=fluxcoil,dc=net
objectClass: top
objectClass: organizationalUnit
ou: SUDOers

# root, SUDOers, fluxcoil.net
dn: cn=root,ou=SUDOers,dc=fluxcoil,dc=net
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2

# user1, SUDOers, fluxcoil.net
dn: cn=user1,ou=SUDOers,dc=fluxcoil,dc=net
objectClass: top
objectClass: sudoRole
cn: user1
sudoUser: user1
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: /bin/ls
sudoOption: !authenticate
sudoOrder: 3

# defaults, SUDOers, fluxcoil.net
dn: cn=defaults,ou=SUDOers,dc=fluxcoil,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOrder: 1

# rule0, SUDOers, fluxcoil.net
dn: cn=rule0,ou=SUDOers,dc=fluxcoil,dc=net
cn: rule0
objectClass: sudoRole
objectClass: top
sudoUser: +netgr0
sudoHost: ALL
sudoCommand: /sbin/service httpd restart

# Netgroup, fluxcoil.net
dn: ou=Netgroup,dc=fluxcoil,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Netgroup

# netgr0, Netgroup, fluxcoil.net
dn: cn=netgr0,ou=Netgroup,dc=fluxcoil,dc=net
objectClass: nisNetgroup
objectClass: top
cn: netgr0
nisNetgroupTriple: (,user0,)

# users, fluxcoil.net
dn: ou=users,dc=fluxcoil,dc=net
objectClass: organizationalUnit
objectClass: top
ou: users

# user0, users, fluxcoil.net
dn: cn=user0,ou=users,dc=fluxcoil,dc=net
objectClass: person
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
cn: user0
givenName: Christian
sn: Horn
mail: chorm@domain.net
preferredLanguage: en
telephoneNumber: +123 345
l: muc
departmentNumber: X labs
uid: user0
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user0
loginShell: /bin/bash


# user1, users, fluxcoil.net
dn: cn=user1,ou=users,dc=fluxcoil,dc=net
objectClass: person
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: top
cn: user1
givenName: Christian
sn: Horn
mail: chorm@domain.net
preferredLanguage: en
telephoneNumber: +123 345
l: muc
departmentNumber: X labs
uid: user1
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user1
loginShell: /bin/bash

# Groups, fluxcoil.net
dn: ou=Groups,dc=fluxcoil,dc=net
objectClass: top
objectClass: organizationalunit
ou: Groups

# group0, Groups, fluxcoil.net
dn: cn=group0,ou=Groups,dc=fluxcoil,dc=net
objectClass: posixGroup
objectClass: top
cn: group0
gidNumber: 1000

# group1, Groups, fluxcoil.net
dn: cn=group1,ou=Groups,dc=fluxcoil,dc=net
objectClass: posixGroup
objectClass: top
cn: group1
gidNumber: 1001
</code>