How to configure openldap users sudo access CentOS 7
How to configure openldap users sudo access CentOS 7
I have an openldap server and how can I give ldap user sudo access?
Last edited by drevns on 2020/03/28 16:47:23, edited 1 time in total.
Re: How to configure openldap users sudo access CentOS 7
Eventually, with some trial and error, I got it up and running. Below is what I did in my test environment.
Reference https://www.sudo.ws/readme_ldap.html
SUDO LDAP
-------------
vi /testfolder/sudo_ou.ldif
#----------------------
dn: ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
description: Laboratory SUDOers Container
ldapadd -f /testfolder/sudo_ou.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
SUDOERS_BASE=ou=SUDOers,dc=lab,dc=company,dc=com
export SUDOERS_BASE
cvtsudoers -f ldif -o /tmp/sudoers.ldif /etc/sudoers
vi /testfolder/sudoers.ldif
#------------------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b181185c
dn: cn=sudoers,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudoers
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring
sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com
mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(
s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3
.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti
ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U
ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.
1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC '
Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S
tart of time interval for which the entry is valid' EQUALITY generalizedTim
eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En
d of time interval for which the entry is valid' EQUALITY generalizedTimeMa
tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i
nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege
rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer
Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand
$ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ su
doNotBefore $ sudoNotAfter $ description ) )
ldapadd -Y EXTERNAL -H ldapi:/// -f /testfolder/sudoers.ldif
cat /tmp/sudoers.ldif
#---------------------
dn: cn=defaults,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
dn: cn=root,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 1
dn: cn=%wheel,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2
ldapadd -f /tmp/sudoers.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
vi /testfolder/cmdrole.ldif
#sudo role
#---------
dn: cn=cmdrole,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: cmdrole
sudoUser: ldapuser1
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 3
ldapadd -f /testfolder/cmdrole.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
If you need to add another user to the role above;
vi /testfolder/add-to-cmdrole-role.ldif
#----------------------------------
dn: cn=cmdrole,ou=SUDOers,dc=lab,dc=company,dc=com
changetype: modify
add: sudoUser
sudoUser: ldapuser2
ldapmodify -f /testfolder/add-to-cmdrole-role.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
On client
---------
vi /etc/sudo-ldap.conf
----------------------
add entry +
+->uri ldap://ldapserver.lab.company.com
sudoers_base ou=SUDOers,dc=lab,dc=company,dc=com
vi /etc/nsswitch.conf
---------------------
add entry +
+-> sudoers: files ldap
Reference https://www.sudo.ws/readme_ldap.html
SUDO LDAP
-------------
vi /testfolder/sudo_ou.ldif
#----------------------
dn: ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
description: Laboratory SUDOers Container
ldapadd -f /testfolder/sudo_ou.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
SUDOERS_BASE=ou=SUDOers,dc=lab,dc=company,dc=com
export SUDOERS_BASE
cvtsudoers -f ldif -o /tmp/sudoers.ldif /etc/sudoers
vi /testfolder/sudoers.ldif
#------------------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b181185c
dn: cn=sudoers,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudoers
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s
) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring
sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com
mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(
s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3
.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti
ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U
ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.
1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC '
Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S
tart of time interval for which the entry is valid' EQUALITY generalizedTim
eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En
d of time interval for which the entry is valid' EQUALITY generalizedTimeMa
tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i
nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege
rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer
Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand
$ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ su
doNotBefore $ sudoNotAfter $ description ) )
ldapadd -Y EXTERNAL -H ldapi:/// -f /testfolder/sudoers.ldif
cat /tmp/sudoers.ldif
#---------------------
dn: cn=defaults,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
dn: cn=root,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 1
dn: cn=%wheel,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2
ldapadd -f /tmp/sudoers.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
vi /testfolder/cmdrole.ldif
#sudo role
#---------
dn: cn=cmdrole,ou=SUDOers,dc=lab,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: cmdrole
sudoUser: ldapuser1
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 3
ldapadd -f /testfolder/cmdrole.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
If you need to add another user to the role above;
vi /testfolder/add-to-cmdrole-role.ldif
#----------------------------------
dn: cn=cmdrole,ou=SUDOers,dc=lab,dc=company,dc=com
changetype: modify
add: sudoUser
sudoUser: ldapuser2
ldapmodify -f /testfolder/add-to-cmdrole-role.ldif -H ldap://ldapserver.lab.company.com -D cn=Manager,dc=lab,dc=company,dc=com -W -x
On client
---------
vi /etc/sudo-ldap.conf
----------------------
add entry +
+->uri ldap://ldapserver.lab.company.com
sudoers_base ou=SUDOers,dc=lab,dc=company,dc=com
vi /etc/nsswitch.conf
---------------------
add entry +
+-> sudoers: files ldap