[sudo-users] Re: sudo and ldap
Aaron Spangler
as at insight.rr.com
Fri Aug 27 16:11:49 EDT 2004
Jimmy,
The sudoers2ldif script is far from perfect. (In fact it only works
perfectly in the simplest examples). I need to spend some time
rewriting it.
Here are some things that might be helpful when importing a fairly
complicated sudoers.
*) Ensure the schema is already imported. (I believe you have already
done this from previous emails)
*) Ensure the container (in this case ou=SUDOers,dc=aac,dc=va,dc=gov)
already exists and the account you are using to make the changes has
write privileges to the container.
*) The script doesn't do a good job of uniquely naming each entry.
Often it uses same name on different roles. The import will then fail
unless your rename the remaining entries (roles) before you import
because the second entry containing the same name will collide.
*) The script is stupid about RUNAS. Try removing the (ALL) stuff from
/etc/sudoers before you run the script, Then add the line 'sudoRunAs:
ALL' in each sudoers entry in the LDIF before the import.
*) Try not to import the whole LDIF file in at once. Try breaking it up
into smaller pieces. There are several reasons for this. First,
smaller pieces (maybe even one entry per LDIF file) are much easier to
troubleshoot. Secondly, most LDIF importers will stop importing entries
on the first error. It may be difficult to determine exactly which
entry had the error if this file is too large. Thirdly, if you try to
re-run the LDIF file again, it will immediately error because the
entries at the beginning of the LDIF are already loaded.
*) Defaults lines with an additional userspec (such as
"Defaults:t31zjdc") confuse the script. Instead of letting the script
parse this line, just make modifications to the sudoOptions to the
relevant roles. Example:
Add "sudoOption: timestamp_timeout=30" to the SA's role.
Remember, you only have to import them once. Once you have loaded them,
you never have to use the script again; simply use any of the handy LDAP
GUI's available.
I hope this helps you to be successful in importing your sudoRoles!
- Aaron
Covington, Jimmy D. (NGIT) wrote:
>Here is the sudoers file I was working from:
>tut $ cat /etc/sudoers
># sudoers file.
>#
># This file MUST be edited with the 'visudo' command as root.
>#
># See the sudoers man page for the details on how to write a sudoers file.
>#
>
># Host alias specification
>Host_Alias TUT=tut
>Host_Alias VAMHVAPP1=vamhvapp1
>
># User alias specification
># User_Alias SAS=root,unixsec,t314djb,t314rw1,t31zjdc
>User_Alias SECURITY=t00ezmg
>User_Alias DBA=oracle,t31zllh,t319jwa,t31zpto,rcfztc99,rcfzas99,t31zjlp
>User_Alias BEA=rcfzas99,rcfztc99
>User_Alias PERF=t312jay,t312ajo
>User_Alias BACKUP=t310gjt,t310ldr
>Runas_Alias ORACLE=oracle
>
># Cmnd alias specification
>Cmnd_Alias SEC_CMD=/usr/xpg4/bin/grep *,/usr/bin/grep *,/usr/bin/truss
>*,/usr/bin/ls *,/usr/bin/cat
>*,/etc/powermt/display*,/usr/bin/pmap,/usr/bin/ptree,/usr/bin/pwdx,/usr/bin/
>pfiles,/usr/bin/pflags/,/usr/sbin/lockstat,/usr/bin/su unixsec,/usr/bin/su -
>unixsec
>Cmnd_Alias DBA_SU=/usr/bin/su - ora*, /usr/bin/su - apl*, /usr/bin/su
>ora*,/usr/bin/su apl*
>Cmnd_Alias DBA_CHOWN=/usr/bin/chown ora*, /usr/bin/chown apl*,/usr/bin/chown
>-R ora*,/usr/bin/chown -R apl*
>Cmnd_Alias DBA_LS=/usr/bin/ls *
>Cmnd_Alias DBA_DU=/usr/bin/du *
>Cmnd_Alias MHV_DBA_ST=/usr/local/scripts/mhv/*
>Cmnd_Alias DBA_GREP=/usr/bin/grep *
>Cmnd_Alias DBA_XGREP=/usr/xpg4/bin/grep *
>Cmnd_Alias DBA_CAT=/usr/bin/cat *
>Cmnd_Alias MHV_DBA_AGNTSTART=/usr/local/scripts/mhv/START_AGNT1
>Cmnd_Alias MHV_DBA_AGNTSTOP=/usr/local/scripts/mhv/STOP_AGNT1
>Cmnd_Alias PERF_PCMD=/etc/powermt
>display*,/usr/bin/pmap,/usr/bin/ptree,/usr/bin/pwdx,/usr/bin/pfiles,/usr/bin
>/pflags/,/usr/sbin/lockstat,/usr/bin/pldd,/bin/cat,/bin/ls
>Cmnd_Alias BEA_SU=/usr/bin/su - weblogic*
>Cmnd_Alias BACK_CMD=/usr/xpg4/bin/grep *,/usr/bin/grep *,/usr/bin/ls
>*,/usr/bin/cat *,/usr/bin/ls *,/usr/bin/du *,/usr/bin/cat
>*,/usr/openv/bin/*,/usr/openv/java/*
># Defaults specification
>
># User privilege specification
>#SAS ALL=(ALL) ALL
>SECURITY ALL=(ALL) SEC_CMD
>DBA VAMHVAPP1=(ALL)DBA_SU
>DBA VAMHVAPP1=(ALL)NOPASSWD:DBA_CHOWN
>DBA VAMHVAPP1=(ALL)NOPASSWD:DBA_LS,NOPASSWD:DBA_DU
>DBA VAMHVAPP1=(ORACLE)NOPASSWD:MHV_DBA_ST
>DBA VAMHVAPP1=(ALL)NOPASSWD:DBA_CAT
>DBA VAMHVAPP1=(ALL)NOPASSWD:DBA_GREP
>DBA VAMHVAPP1=(ALL)NOPASSWD:DBA_XGREP
>DBA VAMHVAPP1=(ALL)NOPASSWD:MHV_DBA_AGNTSTART
>DBA VAMHVAPP1=(ALL)NOPASSWD:MHV_DBA_AGNTSTOP
>PERF VAMHVAPP1=(ALL)PERF_PCMD
>BEA VAMHVAPP1=(ALL)BEA_SU
>BACKUP ALL=(ALL) BACKUP_CMD
>
>#Defaults
>Defaults:t31zjdc timestamp_timeout=30
>
># Allow people in group sysadmin to run all commands
>%sysadmin ALL=(ALL) ALL
>
># Same thing without a password
># %wheel ALL=(ALL) NOPASSWD: ALL
>
># Samples
># %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
># %users localhost=/sbin/shutdown -h now
>
>-----Original Message-----
>From: Aaron Spangler [mailto:as at insight.rr.com]
>Sent: Wednesday, August 18, 2004 5:22 PM
>To: Covington, Jimmy D. (NGIT)
>Cc: 'as at insight.rr.com'
>Subject: RE: sudo and ldap
>
>
>All you need is Equality on the attribute.
>
>
More information about the sudo-users
mailing list