Annotation of src/usr.bin/sudo/README.LDAP, Revision 1.7
1.6 millert 1: This file explains how to build the optional LDAP functionality of SUDO to
1.1 millert 2: store /etc/sudoers information. This feature is distinct from LDAP passwords.
3:
1.6 millert 4: For general sudo LDAP configuration details, see the sudoers.ldap manual that
5: comes with the sudo distribution. A pre-formatted version of the manual may
6: be found in the sudoers.ldap.cat file.
7:
8: The sudo binary compiled with LDAP support should be totally backward
9: compatible and be syntactically and source code equivalent to its
10: non LDAP-enabled build.
11:
1.1 millert 12: LDAP philosophy
13: ===============
14: As times change and servers become cheap, an enterprise can easily have 500+
15: UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
16: others across an enterprise can greatly reduce the administrative overhead.
17:
1.6 millert 18: In the past, sudo has used a single local configuration file, /etc/sudoers.
19: While the same sudoers file can be shared among machines, no built-in
20: mechanism exists to distribute it. Some have attempted to workaround this
21: by synchronizing changes via CVS/RSYNC/RDIST/RCP/SCP and even NFS.
22:
23: By using LDAP for sudoers we gain a centrally administered, globally
24: available configuration source for sudo.
1.1 millert 25:
1.2 millert 26: For information on OpenLDAP, please see http://www.openldap.org/.
27:
1.1 millert 28: Definitions
29: ===========
30: Many times the word 'Directory' is used in the document to refer to the LDAP
31: server, structure and contents.
32:
33: Many times 'options' are used in this document to refer to sudoer 'defaults'.
34: They are one and the same.
35:
36: Build instructions
37: ==================
1.7 ! millert 38: The simplest way to build sudo with LDAP support is to include the
1.2 millert 39: '--with-ldap' option.
1.1 millert 40:
1.2 millert 41: $ ./configure --with-ldap
1.1 millert 42:
1.2 millert 43: If your ldap libraries and headers are in a non-standard place, you will need
44: to specify them at configure time. E.g.
1.1 millert 45:
1.2 millert 46: $ ./configure --with-ldap=/usr/local/ldapsdk
1.1 millert 47:
1.6 millert 48: Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
49: (such as those present in Solaris) are also known to work.
1.1 millert 50:
1.7 ! millert 51: Your mileage may vary. Please let the sudo workers mailing list
1.6 millert 52: <sudo-workers@sudo.ws> know if special configuration was required
53: to build an LDAP-enabled sudo so we can improve sudo.
1.1 millert 54:
55: Schema Changes
56: ==============
1.6 millert 57: You must add the appropriate schema to your LDAP server before it
58: can store sudoers content.
59:
60: For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
61: (e.g. /etc/openldap/schema). You must then edit your slapd.conf and
62: add an include line the new schema, e.g.
63:
64: # Sudo LDAP schema
65: include /etc/openldap/schema/sudo.schema
66:
67: In order for sudoRole LDAP queries to be efficient, the server must index
68: the attribute 'sudoUser', e.g.
69:
70: # Indices to maintain
71: index sudoUser eq
72:
73: After making the changes to slapd.conf, restart slapd.
1.1 millert 74:
1.6 millert 75: For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
76: copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
77:
78: On Solaris, schemas are stored in /var/Sun/mps/slapd-`hostname`/config/schema/.
79: For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
80:
81: After copying the schema file to the appropriate directory, restart
82: the LDAP server.
83:
84: Finally, using an LDAP browser/editor, enable indexing by editing the
85: client profile to provide a Service Search Descriptor (SSD) for sudoers,
86: replacing example.com with your domain:
87:
88: serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
89:
90: If using an Active Directory server, copy schema.ActiveDirectory
91: to your Windows domain controller and run the following command:
92:
93: ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com
94:
95: Importing /etc/sudoers into LDAP
96: ================================
97: Importing sudoers is a two-step process.
1.1 millert 98:
99: Step 1:
100: Ask your LDAP Administrator where to create the ou=SUDOers container.
1.2 millert 101:
102: For instance, if using OpenLDAP:
103:
104: dn: ou=SUDOers,dc=example,dc=com
105: objectClass: top
106: objectClass: organizationalUnit
107: ou: SUDOers
108:
1.1 millert 109: (An example location is shown below). Then use the provided script to convert
110: your sudoers file into LDIF format. The script will also convert any default
111: options.
112:
113: # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
114: # export SUDOERS_BASE
115: # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
116:
117: Step 2:
1.6 millert 118: Import into your directory server. The following example is for
119: OpenLDAP. If you are using another directory, provide the LDIF
120: file to your LDAP Administrator.
1.1 millert 121:
122: # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
1.6 millert 123: -D cn=Manager,dc=example,dc=com -W -x
1.1 millert 124:
125: Managing LDAP entries
126: =====================
127: Doing a one-time bulk load of your ldap entries is fine. However what if you
128: need to make minor changes on a daily basis? It doesn't make sense to delete
129: and re-add objects. (You can, but this is tedious).
130:
131: I recommend using any of the following LDAP browsers to administer your SUDOers.
132: * GQ - The gentleman's LDAP client - Open Source - I use this a lot on Linux
133: and since it is Schema aware, I don't need to create a sudoRole template.
134: http://biot.com/gq/
135:
136: * LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
137: and Solaris. It runs anywhere in a Java Virtual Machine including
138: web pages. You have to make a template from an existing sudoRole entry.
139: http://www.iit.edu/~gawojar/ldap
140: http://www.mcs.anl.gov/~gawor/ldap
141: http://ldapmanager.com
142:
1.3 millert 143: * Apache Directory Studio - Open Source - an Eclipse-based LDAP
144: development platform. Includes an LDAP browser, and LDIF editor,
145: a schema editor and more.
146: http://directory.apache.org/studio
147:
148: There are dozens of others, some Open Source, some free, some not.
1.1 millert 149:
1.6 millert 150: Configure your /etc/ldap.conf and /etc/nsswitch.conf
151: ====================================================
1.1 millert 152: The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
153: and other ldap applications and modules. IBM Secureway unfortunately uses
154: the same filename but has a different syntax. If you need to rename where
1.3 millert 155: this file is stored, re-run configure with the --with-ldap-conf-file=filename
156: option.
1.1 millert 157:
1.6 millert 158: See the "Configuring ldap.conf" section in the sudoers.ldap manual
159: for a list of supported ldap.conf parameters and an example ldap.conf
1.1 millert 160:
1.6 millert 161: Make sure you sudoers_base matches the location you specified when you
162: imported the sudoers ldif data.
163:
164: After configuring /etc/ldap.conf, you must add a line in /etc/nsswitch.conf
165: to tell sudo to look in LDAP for sudoers. See the "Configuring nsswitch.conf"
166: section in the sudoers.ldap manual for details. Note that sudo will use
167: /etc/nsswitch.conf even if the underlying operating system does not support it.
168: To disable nsswitch support, run configure with the --with-nsswitch=no option.
169: This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
170: ignore_sudoers_file flag is set in the global LDAP options.
1.1 millert 171:
172: Debugging your LDAP configuration
173: =================================
174: Enable debugging if you believe sudo is not parsing LDAP the way you think it
1.6 millert 175: should. Setting the 'sudoers_debug' parameter to a value of 1 shows moderate
176: debugging. A value of 2 shows the results of the matches themselves. Make
177: sure to set the value back to zero so that other users don't get confused by
178: the debugging messages.