Annotation of src/usr.bin/sudo/README.LDAP, Revision 1.6
1.6 ! millert 1: This file explains how to build the optional LDAP functionality of SUDO to
1.1 millert 2: store /etc/sudoers information. This feature is distinct from LDAP passwords.
3:
1.6 ! millert 4: For general sudo LDAP configuration details, see the sudoers.ldap manual that
! 5: comes with the sudo distribution. A pre-formatted version of the manual may
! 6: be found in the sudoers.ldap.cat file.
! 7:
! 8: The sudo binary compiled with LDAP support should be totally backward
! 9: compatible and be syntactically and source code equivalent to its
! 10: non LDAP-enabled build.
! 11:
1.1 millert 12: LDAP philosophy
13: ===============
14: As times change and servers become cheap, an enterprise can easily have 500+
15: UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
16: others across an enterprise can greatly reduce the administrative overhead.
17:
1.6 ! millert 18: In the past, sudo has used a single local configuration file, /etc/sudoers.
! 19: While the same sudoers file can be shared among machines, no built-in
! 20: mechanism exists to distribute it. Some have attempted to workaround this
! 21: by synchronizing changes via CVS/RSYNC/RDIST/RCP/SCP and even NFS.
! 22:
! 23: By using LDAP for sudoers we gain a centrally administered, globally
! 24: available configuration source for sudo.
1.1 millert 25:
1.2 millert 26: For information on OpenLDAP, please see http://www.openldap.org/.
27:
1.1 millert 28: Definitions
29: ===========
30: Many times the word 'Directory' is used in the document to refer to the LDAP
31: server, structure and contents.
32:
33: Many times 'options' are used in this document to refer to sudoer 'defaults'.
34: They are one and the same.
35:
36: Build instructions
37: ==================
38: The most simplest way to build sudo with LDAP support is to include the
1.2 millert 39: '--with-ldap' option.
1.1 millert 40:
1.2 millert 41: $ ./configure --with-ldap
1.1 millert 42:
1.2 millert 43: If your ldap libraries and headers are in a non-standard place, you will need
44: to specify them at configure time. E.g.
1.1 millert 45:
1.2 millert 46: $ ./configure --with-ldap=/usr/local/ldapsdk
1.1 millert 47:
1.6 ! millert 48: Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
! 49: (such as those present in Solaris) are also known to work.
1.1 millert 50:
1.2 millert 51: Your Mileage may vary. Please let the sudo workers mailing list
1.6 ! millert 52: <sudo-workers@sudo.ws> know if special configuration was required
! 53: to build an LDAP-enabled sudo so we can improve sudo.
1.1 millert 54:
55: Schema Changes
56: ==============
1.6 ! millert 57: You must add the appropriate schema to your LDAP server before it
! 58: can store sudoers content.
! 59:
! 60: For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
! 61: (e.g. /etc/openldap/schema). You must then edit your slapd.conf and
! 62: add an include line the new schema, e.g.
! 63:
! 64: # Sudo LDAP schema
! 65: include /etc/openldap/schema/sudo.schema
! 66:
! 67: In order for sudoRole LDAP queries to be efficient, the server must index
! 68: the attribute 'sudoUser', e.g.
! 69:
! 70: # Indices to maintain
! 71: index sudoUser eq
! 72:
! 73: After making the changes to slapd.conf, restart slapd.
1.1 millert 74:
1.6 ! millert 75: For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
! 76: copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
! 77:
! 78: On Solaris, schemas are stored in /var/Sun/mps/slapd-`hostname`/config/schema/.
! 79: For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
! 80:
! 81: After copying the schema file to the appropriate directory, restart
! 82: the LDAP server.
! 83:
! 84: Finally, using an LDAP browser/editor, enable indexing by editing the
! 85: client profile to provide a Service Search Descriptor (SSD) for sudoers,
! 86: replacing example.com with your domain:
! 87:
! 88: serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
! 89:
! 90: If using an Active Directory server, copy schema.ActiveDirectory
! 91: to your Windows domain controller and run the following command:
! 92:
! 93: ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com
! 94:
! 95: Importing /etc/sudoers into LDAP
! 96: ================================
! 97: Importing sudoers is a two-step process.
1.1 millert 98:
99: Step 1:
100: Ask your LDAP Administrator where to create the ou=SUDOers container.
1.2 millert 101:
102: For instance, if using OpenLDAP:
103:
104: dn: ou=SUDOers,dc=example,dc=com
105: objectClass: top
106: objectClass: organizationalUnit
107: ou: SUDOers
108:
1.1 millert 109: (An example location is shown below). Then use the provided script to convert
110: your sudoers file into LDIF format. The script will also convert any default
111: options.
112:
113: # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
114: # export SUDOERS_BASE
115: # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
116:
117: Step 2:
1.6 ! millert 118: Import into your directory server. The following example is for
! 119: OpenLDAP. If you are using another directory, provide the LDIF
! 120: file to your LDAP Administrator.
1.1 millert 121:
122: # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
1.6 ! millert 123: -D cn=Manager,dc=example,dc=com -W -x
1.1 millert 124:
125: Managing LDAP entries
126: =====================
127: Doing a one-time bulk load of your ldap entries is fine. However what if you
128: need to make minor changes on a daily basis? It doesn't make sense to delete
129: and re-add objects. (You can, but this is tedious).
130:
131: I recommend using any of the following LDAP browsers to administer your SUDOers.
132: * GQ - The gentleman's LDAP client - Open Source - I use this a lot on Linux
133: and since it is Schema aware, I don't need to create a sudoRole template.
134: http://biot.com/gq/
135:
136: * LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
137: and Solaris. It runs anywhere in a Java Virtual Machine including
138: web pages. You have to make a template from an existing sudoRole entry.
139: http://www.iit.edu/~gawojar/ldap
140: http://www.mcs.anl.gov/~gawor/ldap
141: http://ldapmanager.com
142:
1.3 millert 143: * Apache Directory Studio - Open Source - an Eclipse-based LDAP
144: development platform. Includes an LDAP browser, and LDIF editor,
145: a schema editor and more.
146: http://directory.apache.org/studio
147:
148: There are dozens of others, some Open Source, some free, some not.
1.1 millert 149:
1.6 ! millert 150: Configure your /etc/ldap.conf and /etc/nsswitch.conf
! 151: ====================================================
1.1 millert 152: The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
153: and other ldap applications and modules. IBM Secureway unfortunately uses
154: the same filename but has a different syntax. If you need to rename where
1.3 millert 155: this file is stored, re-run configure with the --with-ldap-conf-file=filename
156: option.
1.1 millert 157:
1.6 ! millert 158: See the "Configuring ldap.conf" section in the sudoers.ldap manual
! 159: for a list of supported ldap.conf parameters and an example ldap.conf
1.1 millert 160:
1.6 ! millert 161: Make sure you sudoers_base matches the location you specified when you
! 162: imported the sudoers ldif data.
! 163:
! 164: After configuring /etc/ldap.conf, you must add a line in /etc/nsswitch.conf
! 165: to tell sudo to look in LDAP for sudoers. See the "Configuring nsswitch.conf"
! 166: section in the sudoers.ldap manual for details. Note that sudo will use
! 167: /etc/nsswitch.conf even if the underlying operating system does not support it.
! 168: To disable nsswitch support, run configure with the --with-nsswitch=no option.
! 169: This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
! 170: ignore_sudoers_file flag is set in the global LDAP options.
1.1 millert 171:
172: Debugging your LDAP configuration
173: =================================
174: Enable debugging if you believe sudo is not parsing LDAP the way you think it
1.6 ! millert 175: should. Setting the 'sudoers_debug' parameter to a value of 1 shows moderate
! 176: debugging. A value of 2 shows the results of the matches themselves. Make
! 177: sure to set the value back to zero so that other users don't get confused by
! 178: the debugging messages.