[sudo-users] Ldap Groups
Huibert.Kivits at mail.ing.nl
Huibert.Kivits at mail.ing.nl
Thu Apr 28 05:25:39 EDT 2005
Yes, indeed.
Dave created an entry for a group in LDAP, under which he added subentries for users.
However, users should not be added as a subentry to the group. You should do something like the following:
- select the group you want to add a user to.
- add a new attribute to this group, i.e. the attribute "memberUid"
- you now have to enter a value for this attribute. Enter the name of the username. The common name "johndoe" is sufficient. There is no need to enter the distinguished name (dn=johndoe,ou=... Etcetera).
- you can add multiple users to a group by adding the memberUid-attribute multiple times.
- This way, you can authorize a group for the sudo, instead of individual users.
Managing SUDO-authorizations from within LDAP does not require that users exist in LDAP. This applies both to the user under which the sudo runs (the value of the sudoRunas-attribute) and to the userid's that use SUDO. It is perfectly possible for a local user to use SUDO-authorizations that are managed via LDAP.
Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
Huibert Kivits
-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Aaron Spangler
Verzonden: woensdag 27 april 2005 18:10
Aan: David Blackburn
CC: sudo-users at sudo.ws
Onderwerp: Re: [sudo-users] Ldap Groups
The sudouser has syntax similar to the RFC2307 attributes. It does not use the full LDAP Distringuished Name.
Use the short username in the sudoUser attribute:
sudoUser: unixuser1
-or-
sudoUser: %unixgroup1
-or-
sudoUser: +netgroup1
The unixuser1, unixgroup1, or netgroup1 should be available from the servers perspective and do not necessarily need to exist in LDAP. If they do exist in LDAP, then they should follow RFC2307 syntax.
On 4/25/05, David Blackburn <hxor666 at gmail.com> wrote:
> Hi
>
> I have Ldap sudo auth working, but I need to setup the sudoUser's into
> groups, I have used the Posix users schema and point sudoUser to the
> below.
>
> sudoUser points to
> cn=memberUid,ou=sudoUserGroups,ou=sudoers,dc=blah,dc=net
>
> Where memberUid is the id of the users I want to use. If I remove the
> above and put my user ID in this works.
>
> Please note I am quite new with ldap and my be missing something quite
> basic.
>
> Thanks
> Dave
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
More information about the sudo-users
mailing list