| version 1.1, 2004/09/28 15:10:50 |
version 1.2, 2007/07/26 16:10:15 |
|
|
| RCS/CVS/RSYNC/RDIST/RCP/SCP and even NFS. Many have asked for a Hesiod, NIS, |
RCS/CVS/RSYNC/RDIST/RCP/SCP and even NFS. Many have asked for a Hesiod, NIS, |
| or LDAP patch for sudo, so here is my attempt at LDAP'izing sudo. |
or LDAP patch for sudo, so here is my attempt at LDAP'izing sudo. |
| |
|
| |
For information on OpenLDAP, please see http://www.openldap.org/. |
| |
|
| Definitions |
Definitions |
| =========== |
=========== |
| Many times the word 'Directory' is used in the document to refer to the LDAP |
Many times the word 'Directory' is used in the document to refer to the LDAP |
|
|
| Build instructions |
Build instructions |
| ================== |
================== |
| The most simplest way to build sudo with LDAP support is to include the |
The most simplest way to build sudo with LDAP support is to include the |
| '--with-ldap' option. I recommend including the '--with-pam' option on those |
'--with-ldap' option. |
| system with PAM so that if you decide to use LDAP for authentication, you won't |
|
| need to recompile sudo. |
|
| |
|
| $ ./configure --with-ldap --with-pam |
$ ./configure --with-ldap |
| |
|
| If your ldap libraries and headers are in a non standard place, you will need |
If your ldap libraries and headers are in a non-standard place, you will need |
| to specify them at configure time. |
to specify them at configure time. E.g. |
| |
|
| $ ./configure --with-ldap=/usr/local/ldapsdk --with-pam |
$ ./configure --with-ldap=/usr/local/ldapsdk |
| |
|
| Sudo is tested against OpenLDAP's implementation. Other LDAP implementations |
Sudo is developed using OpenLDAP. Other LDAP implementations may |
| may require adding '-lldif' to SUDO_LIBS in the Makefile. |
require adding '-lldif' to SUDO_LIBS in the Makefile. |
| |
|
| Your Mileage may vary. Please let Aaron Spangler <aaron@spangler.ods.org> |
Your Mileage may vary. Please let the sudo workers mailing list |
| know what combinations worked best for your OS & LDAP Combinations so we can |
<sudo-workers@sudo.ws> know what combinations worked best for your |
| improve sudo. |
OS and LDAP Combinations so we can improve sudo. |
| |
|
| More Build Notes: |
More Build Notes: |
| HP-UX 11.23 (gcc3) Galen Johnson <Galen.Johnson@sas.com> |
HP-UX 11.23 (gcc3) Galen Johnson <Galen.Johnson@sas.com> |
|
|
| |
|
| Schema Changes |
Schema Changes |
| ============== |
============== |
| Add the following schema to your LDAP server so that it may contain sudoer |
Add the appropriate schema to your LDAP server so that it may contain |
| content. In OpenLDAP, simply place this into a new file and 'include' it |
sudoers content. |
| in your slapd.conf and restart slapd. For other LDAP servers, provide this |
|
| to your LDAP Administrator. Make sure to index the attribute 'sudoUser'. |
|
| |
|
| |
For OpenLDAP, simply copy schema.OpenLDAP to the schema directory |
| |
(e.g. /etc/openldap/schema) and 'include' it in your slapd.conf and |
| |
restart slapd. For other LDAP servers, provide this to your LDAP |
| |
Administrator. Make sure to index the attribute 'sudoUser'. |
| |
|
| # |
For the SunONE or iPlanet LDAP server, use the schema.iPlanet file. |
| # schema file for sudo |
|
| # |
|
| |
|
| attributetype ( 1.3.6.1.4.1.15953.9.1.1 |
|
| NAME 'sudoUser' |
|
| DESC 'User(s) who may run sudo' |
|
| EQUALITY caseExactIA5Match |
|
| SUBSTR caseExactIA5SubstringsMatch |
|
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
| |
|
| attributetype ( 1.3.6.1.4.1.15953.9.1.2 |
|
| NAME 'sudoHost' |
|
| DESC 'Host(s) who may run sudo' |
|
| EQUALITY caseExactIA5Match |
|
| SUBSTR caseExactIA5SubstringsMatch |
|
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
| |
|
| attributetype ( 1.3.6.1.4.1.15953.9.1.3 |
|
| NAME 'sudoCommand' |
|
| DESC 'Command(s) to be executed by sudo' |
|
| EQUALITY caseExactIA5Match |
|
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
| |
|
| attributetype ( 1.3.6.1.4.1.15953.9.1.4 |
|
| NAME 'sudoRunAs' |
|
| DESC 'User(s) impersonated by sudo' |
|
| EQUALITY caseExactIA5Match |
|
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
| |
|
| attributetype ( 1.3.6.1.4.1.15953.9.1.5 |
|
| NAME 'sudoOption' |
|
| DESC 'Options(s) followed by sudo' |
|
| EQUALITY caseExactIA5Match |
|
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
| |
|
| objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL |
|
| DESC 'Sudoer Entries' |
|
| MUST ( cn ) |
|
| MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ |
|
| description ) |
|
| ) |
|
| |
|
| # |
|
| # Same thing as above, but imports better into SunONE or iPlanet |
|
| # (remove any leading spaces and save to a seperate file) |
|
| # |
|
| |
|
| dn: cn=schema |
|
| attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) |
|
| attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) |
|
| attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) |
|
| attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) |
|
| attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) |
|
| objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) |
|
| |
|
| |
|
| |
|
| Importing /etc/sudoers to LDAP |
Importing /etc/sudoers to LDAP |
| ============================== |
============================== |
| Importing is a two step process. |
Importing is a two step process. |
| |
|
| Step 1: |
Step 1: |
| Ask your LDAP Administrator where to create the ou=SUDOers container. |
Ask your LDAP Administrator where to create the ou=SUDOers container. |
| |
|
| |
For instance, if using OpenLDAP: |
| |
|
| |
dn: ou=SUDOers,dc=example,dc=com |
| |
objectClass: top |
| |
objectClass: organizationalUnit |
| |
ou: SUDOers |
| |
|
| (An example location is shown below). Then use the provided script to convert |
(An example location is shown below). Then use the provided script to convert |
| your sudoers file into LDIF format. The script will also convert any default |
your sudoers file into LDIF format. The script will also convert any default |
| options. |
options. |
|
|
| # optional proxy credentials |
# optional proxy credentials |
| #binddn <who to search as> |
#binddn <who to search as> |
| #bindpw <password> |
#bindpw <password> |
| |
#rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw> |
| # |
# |
| # LDAP Protocol Version defaults to 3 |
# LDAP Protocol Version defaults to 3 |
| #ldap_version 3 |
#ldap_version 3 |
|
|
| sudoCommand: !/bin/sh |
sudoCommand: !/bin/sh |
| sudoCommand: ALL |
sudoCommand: ALL |
| |
|
| Another difference is that negations on the Host are User (or Runas) are |
Another difference is that negations on the Host, User or Runas are |
| currently ignorred. For example, these attributes do not work how they first |
currently ignorred. For example, these attributes do not work how they first |
| seem. If you desperately want this to be changed, contact Aaron Spangler |
seem. If you desperately want this to be changed, contact Aaron Spangler |
| (aaron@spangler.ods.org). |
(aaron@spangler.ods.org). |
![[BACK]](/icons/back.gif){kind=icon}
Return to README.LDAP CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo