[sudo-users] Ldap Groups - Resolution

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Wed May 4 08:40:07 EDT 2005 

Hi David,

Good to hear you managed to get it working. I had just writing an addition, maybe it will be of any help.
BTW: what UNIX platform is involved? At our company, we use both AIX and Solaris. Which are very different as far as the LDAP client is concerned. We do not use NIS for user authentication, but LDAP.

Here is the text I just finished:

I do not know exactly how sudo makes the client system resolve users and groups.
I do suspect however, that the system just performs a syscall. Similar to when a user logs in.
So far, we have only deployed sudo on AIX. On an AIX system that already is an LDAP client (meaning that information on users is stored in LDAP instead of local files), sudo requires nothing extra for user identification and determining group membership. If the user authenticates against LDAP, the system will look in LDAP. If the user authenticates against local files (/etc/passwd etc.), the system will look in these local files.
To be more precise: it is determined in /etc/security/user wether the system should look in LDAP or in local files. On our system, the stanza default in /etc/security/user is set to "LDAP" and for all local users, stanzas are set to "files":
 default:
	SYSTEM = "LDAP"
	registry = LDAP

 local_users:
	SYSTEM = "files"
	registry = files

I believe ldap.client.rte must be installed to make the AIX sudo client perform searches in the LDAP directory server.

We have not deployed sudo on Solaris systems yet, as RBAC is a more powerful alternative for Solaris. Yet, we plan to deploy sudo on Solaris as well. We haven't tested this combination yet, but as far as /etc/nsswitch.conf is concerned, this file should look a bit like this:
passwd: 	files ldap
group:  	files ldap
sudoers:	files ldap

In the case of both AIX and Solaris, it should not really matter whether a user is defined in LDAP or locally. The client system will just perform a lookup of the user. If the user can log on to the system, then this should not be a worry.

Suppose you have a user cn=johndoe,ou=People,o=acme.
The user is member of cn=group1,ou=Groups,o=acme (by having added the memberUid-attribute).
Then you can authorize this user for a sudo in two ways:
sudoUser: johndoe		# or:
sudoUser: %group1

With the "id" or "lsuser" command (or whatever command available to list users), you can verify wether the system can find the user information (including group authorization). Obviously, if you only use LDAP for storing sudo information, user johndoe must exist locally, and must be a member of member of a local group1.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,


Huibert Kivits
ITC/SMA/Sec/MSO UNIX
Locatiecode NA 00.92
T (020) 563 72 77, F (020) 563 70 02
E Huibert.Kivits at mail.ing.nl


-----Oorspronkelijk bericht-----
Van: David Blackburn [mailto:hxor666 at gmail.com] 
Verzonden: woensdag 4 mei 2005 13:59
Aan: Kivits, H.P. (Huibert)
CC: aaron at spangler.ods.org; sudo-users at sudo.ws
Onderwerp: Re: [sudo-users] Ldap Groups - Resolution


Hi

Thanks for your help I have resolved the issue now,  I had not setup the nssswitch and correct group's up.

To resolve this I created a nisGroup within a ou within the basedn.  I also changed the nsswitch.conf to lookup on ldap for netgroup,passwd and shadow.

I also added + at netgroup to /etc/passwd and /etc/shadow

Thanks
Dave

On 5/4/05, David Blackburn <hxor666 at gmail.com> wrote:
> Thanks for all your help, I have gone over your instructions but am 
> still having problems, I created a posixGroup, netgroups and sudorole 
> with just a group of users.
> 
> Unless the user is in the sudoers schema I dont get any joy, Huibert 
> your info was very helpfully but at the end, its a little unclear how 
> sudo finds the actual user to verify on.
> 
> i.e. does the nsswtich have to be configured to retreive the user from 
> the group, or how do I put a link in from the sudoRole statement, to 
> point to the group that sudo will then pickup on.
> 
> All the methods I have tried so far never get a user match unless the 
> user is in the sudoRole statement.
> 
> found:cn=defaults,ou=sudoers,dc=blah,dc=net
> ldap search 
> '(|(sudoUser=blackburnd)(sudoUser=%blackburnd)(sudoUser=%blackburnd)(sudoUser=ALL))'
> ldap search 'sudoUser=+*'
> user_matches=0
> host_matches=0
> 
> 
> On 4/28/05, Huibert.Kivits at mail.ing.nl <Huibert.Kivits at mail.ing.nl> 
> wrote:
> > Yes, indeed.
> >
> > Dave created an entry for a group in LDAP, under which he added 
> > subentries for users. However, users should not be added as a 
> > subentry to the group. You should do something like the following:
> > - select the group you want to add a user to.
> > - add a new attribute to this group, i.e. the attribute "memberUid"
> > - you now have to enter a value for this attribute. Enter the name of the username. The common name "johndoe" is sufficient. There is no need to enter the distinguished name (dn=johndoe,ou=... Etcetera).
> > - you can add multiple users to a group by adding the memberUid-attribute multiple times.
> > - This way, you can authorize a group for the sudo, instead of individual users.
> >
> > Managing SUDO-authorizations from within LDAP does not require that 
> > users exist in LDAP. This applies both to the user under which the 
> > sudo runs (the value of the sudoRunas-attribute) and to the userid's 
> > that use SUDO. It is perfectly possible for a local user to use 
> > SUDO-authorizations that are managed via LDAP.
> >
> > Met vriendelijke groeten / With kind regards / Mit freundlichen 
> > Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
> >
> > Huibert Kivits
> >
> > -----Oorspronkelijk bericht-----
> > Van: sudo-users-bounces at courtesan.com 
> > [mailto:sudo-users-bounces at courtesan.com] Namens Aaron Spangler
> > Verzonden: woensdag 27 april 2005 18:10
> > Aan: David Blackburn
> > CC: sudo-users at sudo.ws
> > Onderwerp: Re: [sudo-users] Ldap Groups
> >
> >
> > The sudouser has syntax similar to the RFC2307 attributes.  It does 
> > not use the full LDAP Distringuished Name.
> >
> > Use the short username in the sudoUser attribute:
> >
> > sudoUser: unixuser1
> > -or-
> > sudoUser: %unixgroup1
> > -or-
> > sudoUser: +netgroup1
> >
> > The unixuser1, unixgroup1, or netgroup1 should be available from the 
> > servers perspective and do not necessarily need to exist in LDAP.  
> > If they do exist in LDAP, then they should follow RFC2307 syntax.
> >
> > On 4/25/05, David Blackburn <hxor666 at gmail.com> wrote:
> > > Hi
> > >
> > > I have Ldap sudo auth working, but I need to setup the sudoUser's 
> > > into groups, I have used the Posix users schema and point sudoUser 
> > > to the below.
> > >
> > > sudoUser points to 
> > > cn=memberUid,ou=sudoUserGroups,ou=sudoers,dc=blah,dc=net
> > >
> > > Where memberUid is the id of the users I want to use.  If I remove 
> > > the above and  put my user ID in this works.
> > >
> > > Please note I am quite new with ldap and my be missing something 
> > > quite basic.
> > >
> > > Thanks
> > > Dave
> > >
> > > ____________________________________________________________
> > > sudo-users mailing list <sudo-users at sudo.ws>
> > > For list information, options, or to unsubscribe, visit: 
> > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > >
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit: 
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> > -----------------------------------------------------------------
> > ATTENTION:
> > The information in this electronic mail message is private and 
> > confidential, and only intended for the addressee. Should you 
> > receive this message by mistake, you are hereby notified that any 
> > disclosure, reproduction, distribution or use of this message is 
> > strictly prohibited. Please inform the sender by reply transmission 
> > and delete the message without copying or opening it.
> >
> > Messages and attachments are scanned for all viruses known. If this 
> > message contains password-protected attachments, the files have NOT 
> > been scanned for viruses by the ING mail domain. Always scan 
> > attachments before opening them.
> > -----------------------------------------------------------------
> >
> >
>

More information about the sudo-users mailing list