June 1, 2009 at 16:24LDAP for an internet project. Part 5
Hello! Today I am completing a series of articles on implementing OpenLDAP ( one , two , three , four ), and I will talk about storing sudoers in LDAP.
Support for LDAP is built into sudo itself, so pam-modules will not help us here. In Debian, you need to install the sudo-ldap package:
Among others, the package will install a file with the LDAP scheme we need:
After that, we will objects of the sudoRole class with the fields sudoCommand, sudoHost, sudoRunAs, sudoUser, and sudoOption are available.
sudo searches for sudoRole objects using the settings in the /etc/ldap/ldap.conf file:
If you install debug 2, then after executing the sudo command, a listing of objects and matches that sudo found in LDAP will be displayed.
But so far we don’t have a single object, let's do it.
I have already created a container ou = servers, dc = habr, dc = ru in which I store container servers with objects of type groupOfUniqueNames; they contain links to users who have access to the server, for example,
cn = shell-users, ou = dev.habr.ru, ou = servers, dc = habr, dc = en
To store data for sudo, I made the container ou = sudoers, ou = dev.habr.ru, ou = servers, dc = habr, dc = ru in which I have objects of the sudoRole class. For example, these: Or these: For admins, I have a separate container “groupOfUniqueNames” cn = admins, ou = global, ou = servers, dc = habr, dc = ru
And a separate sudoers: There is still an object with default settings: Now you can try to execute sudo! I will be happy to answer your questions in the comments, or in the PM.
Support for LDAP is built into sudo itself, so pam-modules will not help us here. In Debian, you need to install the sudo-ldap package:
apt-get install sudo-ldapAmong others, the package will install a file with the LDAP scheme we need:
/usr/share/doc/sudo-ldap/schema.OpenLDAPwhich you need to copy to both LDAP servers and write it in the /etc/ldap/slapd.conf file among other inclusions: include /etc/ldap/schema/sudo.schemaAfter that, we will objects of the sudoRole class with the fields sudoCommand, sudoHost, sudoRunAs, sudoUser, and sudoOption are available.
sudo searches for sudoRole objects using the settings in the /etc/ldap/ldap.conf file:
uri ldap://ldap.habr.ru
sudoers_base ou=servers,dc=habr,dc=ru
sudoers_debug 0
If you install debug 2, then after executing the sudo command, a listing of objects and matches that sudo found in LDAP will be displayed.
But so far we don’t have a single object, let's do it.
I have already created a container ou = servers, dc = habr, dc = ru in which I store container servers with objects of type groupOfUniqueNames; they contain links to users who have access to the server, for example,
cn = shell-users, ou = dev.habr.ru, ou = servers, dc = habr, dc = en
To store data for sudo, I made the container ou = sudoers, ou = dev.habr.ru, ou = servers, dc = habr, dc = ru in which I have objects of the sudoRole class. For example, these: Or these: For admins, I have a separate container “groupOfUniqueNames” cn = admins, ou = global, ou = servers, dc = habr, dc = ru
dn: cn=%www-data,ou=sudoers,ou=dev.habr.ru,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: %www-data
sudoCommand: ALL
sudoHost: dev.habr.ru
sudoRunAs: www-data
sudoUser: %www-data
dn: cn=developers,ou=sudoers,ou=dev.habr.ru,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: developers
sudoCommand: ALL
sudoRunAs: ALL
sudoHost: dev.habr.ru
sudoUser: dev0
sudoUser: dev1
sudoUser: dev2
And a separate sudoers: There is still an object with default settings: Now you can try to execute sudo! I will be happy to answer your questions in the comments, or in the PM.
dn: cn=admins,ou=sudoers,ou=global,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: admins
sudoCommand: ALL
sudoRunAs: ALL
sudoHost: ALL
sudoUser: admin0
sudoUser: admin1
sudoUser: admin2
dn: cn=defaults,ou=sudoers,ou=global,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: defaults
sudoOption: ignore_local_sudoers
sudoOption: env_reset