LDAP on HPUX-IPF (was RE: Where do I get the LDAPpatchesforsudo.)
Aaron Spangler
as at insight.rr.com
Wed May 12 21:18:29 EDT 2004
Galen,
The sudoers2ldif script is to be used as a migration aid. You don't want to
use it more than once to do
the initial import. After it has been imported into LDAP (AD in your case),
you probably want to use ADSIedit or 'gq' or 'ldapbrowser' to modify your
existing entries after they are imported. This includes the 'defaults'
entry.
The defaults entry (just like any other sudoers entry) can have multiple
sudoOptions attirbutes.
A sudoers LDAP entry is collection of sudoOptions, sudoRunas, sudoCommand,
sudoHost LDAP attributes. If you want to allow certain commands to be
without password, you will want to put them in a different entry (different
sudoRole object) from the commands that you want to require password. You
can have as many sudoRole entries in your [Active] Directory as you want.
(I imagine thousands if you really wanted). Same thing goes if you want
some command to have NOEXEC.
I hope all this makes sense. If not, please let me know and maybe I can
give some examples.
NOPASSWD: means !authenticate option on either a specific entry or on the
defaults.
NOEXEC: means the noexec option on either a specific entry or on the
defaults.
- Aaron
----- Original Message -----
From: "Galen Johnson" <Galen.Johnson at sas.com>
To: "Galen Johnson" <Galen.Johnson at sas.com>; "Aaron Spangler"
<as at insight.rr.com>
Cc: <sudo-users at sudo.ws>
Sent: Wednesday, May 12, 2004 9:32 AM
Subject: RE: LDAP on HPUX-IPF (was RE: Where do I get the
LDAPpatchesforsudo.)
> Another thing...looking at the script it appears that if it finds NOPASSWD
anywhere in option that it sets the entire entry !authenticate. Am I wrong
in thinking that this should be considered incorrect behavior? You should
be able to set certain entries NOPASSWD and have some with PASSWD (according
to the man page and I do curently use this functionality)...I'm also unclear
on how it associates the NOEXEC entries.
>
> =G=
>
> -----Original Message-----
> From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On
Behalf Of Galen Johnson
> Sent: Wednesday, May 12, 2004 9:18 AM
> To: Aaron Spangler
> Cc: sudo-users at sudo.ws
> Subject: RE: LDAP on HPUX-IPF (was RE: Where do I get the LDAP
patchesforsudo.)
>
>
> Hmmm...well here's something I find unfortunate...when I went to add this
to my ldif that was created by the sudoers2ldif script, I had nothing listed
for the defaults which is not to say that was the case in the local sudoers
file. I'm gonna have a look at the script.
>
> =G=
>
> -----Original Message-----
> From: Aaron Spangler [mailto:as at insight.rr.com]
> Sent: Wednesday, May 12, 2004 8:38 AM
> To: Galen Johnson
> Cc: sudo-users at sudo.ws
> Subject: Re: LDAP on HPUX-IPF (was RE: Where do I get the LDAP patches
forsudo.)
>
>
> Galen, There is an option called 'ignore_local_sudoers'. If it is your
> cn=defaults objects, then sudo will not read /etc/sudoers even if there is
> not a match in LDAP. If however the LDAP server is unavailable, then sudo
> will attempt to read /etc/sudoers (which you can place a few entries in
for
> Disaster recovery for example). Kind of nice how the feature worked out.
>
> -Aaron
>
> ----- Original Message -----
> From: "Galen Johnson" <Galen.Johnson at sas.com>
> To: "Aaron Spangler" <as at insight.rr.com>
> Cc: <sudo-users at sudo.ws>
> Sent: Tuesday, May 11, 2004 8:09 PM
> Subject: RE: LDAP on HPUX-IPF (was RE: Where do I get the LDAP patches
> forsudo.)
>
>
> Hey Aaron,
>
> I'll hopefully know better tomorrow if I'm going to be able to talk to our
> AD server ok (like pulling your own teeth). One thing, though. I noticed
> that on the todo you had indicated you were working on disabling local
> sudoers. Any progress on that front? It would make my security guys very
> happy (I am assuming that it looks at both for now).
>
> =G=
>
>
> -----Original Message-----
> From: sudo-users-bounces at sudo.ws on behalf of Aaron Spangler
> Sent: Wed 4/28/2004 3:06 PM
> To: Galen Johnson
> Cc: sudo-users at sudo.ws
> Subject: Re: LDAP on HPUX-IPF (was RE: Where do I get the LDAP patches
> forsudo.)
>
> Thanks for the build tip. I gave you credit in 'README.LDAP'.
>
> -Aaron
>
> Galen Johnson wrote:
>
> > Hey Aaron,
> >
> > I just did a make on HPUX 11.23 using gcc 3. I had to do the following
> (using the README.LDAP with minor mods).
> >
> > I had to configure with the following:
> >
> > CFLAGS="-D__10_10_compat_code" LDFLAGS="-L/opt/ldapux/lib"
> ./configure --with-ldap --with-pam
> >
> > You'll notice that I didn't have to use the includes (since they weren't
> under /opt/ldapux and noone knew where they might be)
> >
> > I then had to comment out the #define HAVE_LDAP_START_TLS_S in config.h
> along with the other changes recommended in the readme. It might be
useful
> to have a --with-ldap-tls config option to enable this functionality
rather
> than defaulting to enabled).
> >
> > Until our AD group can add the schema I won't know how successful I've
> been but I was at least able to compile it (which is usually half the
> battle).
> >
> > I'll keep you posted. (it'd be nice to get some idea of when 1.6.8 is
> planning to be released so I don't have to grab from CVS)
> >
> > =G=
> >
> > -----Original Message-----
> > From: Aaron Spangler [mailto:aaron at spangler.ods.org]
> > Sent: Saturday, April 24, 2004 7:35 PM
> > To: Galen Johnson
> > Cc: as at insight.rr.com; Aaron Spangler; Leadbeter Jim; sudo-users at sudo.ws
> > Subject: Re: Where do I get the LDAP patches for sudo.
> >
> > Any generic ldap client libraries should be fine communicating with
LDAP.
> > If you wanted to either do ldap_start_tls or LDAP over SSL(aka TLS) then
> > you would want to use different client libraries. Also some
modifications
> > would be needed to be done to Active Directory. (Such as installing a
> > certificate.)
> >
> > - Aaron
> >
> > >
> > > It might also be worthwhile to note that the primary ldap server will
be
> =
> > > MS Active Directory but hopefully the calls should work ok.
> > >
> > > =3DG=3D
> > >
> > >
> > > -----Original Message-----
> > > From: Aaron Spangler [mailto:as at insight.rr.com]
> > > Sent: Fri 4/23/2004 3:14 PM
> > > To: Galen Johnson; Aaron Spangler; Leadbeter, Jim
> > > Cc: sudo-users at sudo.ws
> > > Subject: Re: Where do I get the LDAP patches for sudo.
> > > =20
> > > I've never done Itanium before. (I've been an HP-UX junky since 6.5 &
=
> > > HP-UX=20
> > > 8. I haven't used it much since 11.11 came out though).
> > >
> > > If I remember right, ldapux installs itself in /opt (but I could be =
> > > wrong).
> > > That said, it should work if you include /opt/ldapux/include & =
> > > /opt/ldapux/
> > > lib . (The paths might be different, I am just guessing at this
point.)
> > >
> > > Please let me know if you run into any problems.
> > > I would be glad to help in any way I can.
> > >
> > >
> > > -Aaron
> > >
> > >
> > > On Saturday 24 April 2004 01:52 am, Galen Johnson wrote:
> > >
> > > Do you know if this will compile on HPUX/IPF (Itanium) with the
> ldapux=20
> > > component of HP? I'll find out Monday, but I was jsut hoping you
might
> =
> > > know=20
> > > of any gotchas.
> > >
> > >
> > >
> > >
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list