sudo with ldap support
as at insight.rr.com
Mon Jun 23 07:24:15 EDT 2003
My Client is supposed to release the patch this week. It is a nice
implementation of sudoers inside LDAP. It scales well and gives much more
granularity of the sudo options on a per sudoRole basis. (sudoRole is defined
as a combination of a set of users on a set of hosts running a set of commands
as a set of runas users. You can have as many sudoRoles as you want - Even
thousands and it should scale well. The LDAP server never needs to have all
of its entries dumped - only a small subset searched based upon the groups &
netgroups a user belongs to.)
I am hoping the patch will eventually become mainstreamed into sudo since it
co-exists in the code nicely. It even allows for globally ignorring the
/etc/sudoers file on all machines based upon a global sudo option in ldap.
Also since sudo has PAM support, sudo can use LDAP authentication via
PAM_LDAP. (I have tested this and this is what we use)
Ulrich Weber wrote:
> Hi Aaron,
> any news from your client to release your ldap patch for sudo ?
> Aaron Spangler wrote:
> > Acutally I wrote a schema and created a patch for sudo to work with
> > LDAP. We are using it at my client and it works great on 400+ machines.
> > I'm trying to get my client to release it back to sudo under the BSD
> > license.
> > -Aaron
> > Ulrich Weber wrote:
> >>Hi Aaron,
> >>you wrote about a LDAP schema for sudo at the sudo mailing list.
> >>Is there an existing ldap implementation or any plans to develope one
> >>for sudo ?
> >>If not, do you know something similar like sudo with ldap support?
> >>Best regards
> >> Ulrich
More information about the sudo-users