[sudo-users] Re: sudo and ldap

Aaron Spangler as at insight.rr.com
Fri Aug 27 16:11:49 EDT 2004 

Jimmy,

The sudoers2ldif script is far from perfect.  (In fact it only works 
perfectly in the simplest examples).   I need to spend some time 
rewriting it.

Here are some things that might be helpful when importing a fairly 
complicated sudoers.

*) Ensure the schema is already imported.  (I believe you have already 
done this from previous emails)

*) Ensure the container (in this case ou=SUDOers,dc=aac,dc=va,dc=gov) 
already exists and the account you are using to make the changes has 
write privileges to the container.

*) The script doesn't do a good job of uniquely naming each entry.  
Often it uses same name on different roles.  The import will then fail 
unless your rename the remaining entries (roles) before you import 
because the second entry containing the same name will collide.

*) The script is stupid about RUNAS.   Try removing the (ALL) stuff from 
/etc/sudoers before you run the script,  Then add the line 'sudoRunAs: 
ALL' in each sudoers entry in the LDIF before the import.

*) Try not to import the whole LDIF file in at once.  Try breaking it up 
into smaller pieces.  There are several reasons for this.  First, 
smaller pieces (maybe even one entry per LDIF file) are much easier to 
troubleshoot.  Secondly, most LDIF importers will stop importing entries 
on the first error.  It may be difficult to determine exactly which 
entry had the error if this file is too large.  Thirdly, if you try to 
re-run the LDIF file again, it will immediately error because the 
entries at the beginning of the LDIF are already loaded.

*) Defaults lines with an additional userspec (such as 
"Defaults:t31zjdc") confuse the script.  Instead of letting the script 
parse this line, just make modifications to the sudoOptions to the 
relevant roles.  Example:
Add "sudoOption: timestamp_timeout=30" to the SA's role.

Remember, you only have to import them once.  Once you have loaded them, 
you never have to use the script again; simply use any of the handy LDAP 
GUI's available.

I hope this helps you to be successful in importing your sudoRoles!

 - Aaron


Covington, Jimmy D. (NGIT) wrote:

>Here is the sudoers file I was working from:
>tut $ cat /etc/sudoers
># sudoers file.
>#
># This file MUST be edited with the 'visudo' command as root.
>#
># See the sudoers man page for the details on how to write a sudoers file.
>#
>
># Host alias specification
>Host_Alias TUT=tut
>Host_Alias VAMHVAPP1=vamhvapp1
>
># User alias specification
># User_Alias SAS=root,unixsec,t314djb,t314rw1,t31zjdc
>User_Alias SECURITY=t00ezmg
>User_Alias DBA=oracle,t31zllh,t319jwa,t31zpto,rcfztc99,rcfzas99,t31zjlp
>User_Alias BEA=rcfzas99,rcfztc99
>User_Alias PERF=t312jay,t312ajo
>User_Alias BACKUP=t310gjt,t310ldr
>Runas_Alias ORACLE=oracle
>
># Cmnd alias specification
>Cmnd_Alias SEC_CMD=/usr/xpg4/bin/grep *,/usr/bin/grep *,/usr/bin/truss
>*,/usr/bin/ls *,/usr/bin/cat
>*,/etc/powermt/display*,/usr/bin/pmap,/usr/bin/ptree,/usr/bin/pwdx,/usr/bin/
>pfiles,/usr/bin/pflags/,/usr/sbin/lockstat,/usr/bin/su unixsec,/usr/bin/su -
>unixsec
>Cmnd_Alias DBA_SU=/usr/bin/su - ora*, /usr/bin/su - apl*, /usr/bin/su
>ora*,/usr/bin/su apl*
>Cmnd_Alias DBA_CHOWN=/usr/bin/chown ora*, /usr/bin/chown apl*,/usr/bin/chown
>-R ora*,/usr/bin/chown -R apl*
>Cmnd_Alias DBA_LS=/usr/bin/ls *
>Cmnd_Alias DBA_DU=/usr/bin/du *
>Cmnd_Alias MHV_DBA_ST=/usr/local/scripts/mhv/*
>Cmnd_Alias DBA_GREP=/usr/bin/grep *
>Cmnd_Alias DBA_XGREP=/usr/xpg4/bin/grep *
>Cmnd_Alias DBA_CAT=/usr/bin/cat *
>Cmnd_Alias MHV_DBA_AGNTSTART=/usr/local/scripts/mhv/START_AGNT1
>Cmnd_Alias MHV_DBA_AGNTSTOP=/usr/local/scripts/mhv/STOP_AGNT1
>Cmnd_Alias PERF_PCMD=/etc/powermt
>display*,/usr/bin/pmap,/usr/bin/ptree,/usr/bin/pwdx,/usr/bin/pfiles,/usr/bin
>/pflags/,/usr/sbin/lockstat,/usr/bin/pldd,/bin/cat,/bin/ls
>Cmnd_Alias BEA_SU=/usr/bin/su - weblogic*
>Cmnd_Alias BACK_CMD=/usr/xpg4/bin/grep *,/usr/bin/grep *,/usr/bin/ls
>*,/usr/bin/cat *,/usr/bin/ls *,/usr/bin/du *,/usr/bin/cat
>*,/usr/openv/bin/*,/usr/openv/java/*
># Defaults specification
>
># User privilege specification
>#SAS     ALL=(ALL) ALL
>SECURITY ALL=(ALL) SEC_CMD
>DBA     VAMHVAPP1=(ALL)DBA_SU
>DBA     VAMHVAPP1=(ALL)NOPASSWD:DBA_CHOWN
>DBA     VAMHVAPP1=(ALL)NOPASSWD:DBA_LS,NOPASSWD:DBA_DU
>DBA     VAMHVAPP1=(ORACLE)NOPASSWD:MHV_DBA_ST
>DBA     VAMHVAPP1=(ALL)NOPASSWD:DBA_CAT
>DBA     VAMHVAPP1=(ALL)NOPASSWD:DBA_GREP
>DBA     VAMHVAPP1=(ALL)NOPASSWD:DBA_XGREP
>DBA     VAMHVAPP1=(ALL)NOPASSWD:MHV_DBA_AGNTSTART
>DBA     VAMHVAPP1=(ALL)NOPASSWD:MHV_DBA_AGNTSTOP
>PERF    VAMHVAPP1=(ALL)PERF_PCMD
>BEA     VAMHVAPP1=(ALL)BEA_SU
>BACKUP  ALL=(ALL) BACKUP_CMD
>
>#Defaults
>Defaults:t31zjdc timestamp_timeout=30
>
># Allow people in group sysadmin to run all commands
>%sysadmin        ALL=(ALL)       ALL
>
># Same thing without a password
># %wheel        ALL=(ALL)       NOPASSWD: ALL
>
># Samples
># %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
># %users  localhost=/sbin/shutdown -h now
>
>-----Original Message-----
>From: Aaron Spangler [mailto:as at insight.rr.com]
>Sent: Wednesday, August 18, 2004 5:22 PM
>To: Covington, Jimmy D. (NGIT)
>Cc: 'as at insight.rr.com'
>Subject: RE: sudo and ldap
>
>
>All you need is Equality on the attribute.
>  
>

More information about the sudo-users mailing list