[sudo-users] Ldap Groups

David Blackburn hxor666 at gmail.com
Wed May 4 05:59:06 EDT 2005

Thanks for all your help, I have gone over your instructions but am
still having problems, I created a posixGroup, netgroups and sudorole
with just a group of users.

Unless the user is in the sudoers schema I dont get any joy, Huibert
your info was very helpfully but at the end, its a little unclear how
sudo finds the actual user to verify on.

i.e. does the nsswtich have to be configured to retreive the user from
the group, or how do I put a link in from the sudoRole statement, to
point to the group that sudo will then pickup on.

All the methods I have tried so far never get a user match unless the
user is in the sudoRole statement.

ldap search '(|(sudoUser=blackburnd)(sudoUser=%blackburnd)(sudoUser=%blackburnd)(sudoUser=ALL))'
ldap search 'sudoUser=+*'

On 4/28/05, Huibert.Kivits at mail.ing.nl <Huibert.Kivits at mail.ing.nl> wrote:
> Yes, indeed.
> Dave created an entry for a group in LDAP, under which he added subentries for users.
> However, users should not be added as a subentry to the group. You should do something like the following:
> - select the group you want to add a user to.
> - add a new attribute to this group, i.e. the attribute "memberUid"
> - you now have to enter a value for this attribute. Enter the name of the username. The common name "johndoe" is sufficient. There is no need to enter the distinguished name (dn=johndoe,ou=... Etcetera).
> - you can add multiple users to a group by adding the memberUid-attribute multiple times.
> - This way, you can authorize a group for the sudo, instead of individual users.
> Managing SUDO-authorizations from within LDAP does not require that users exist in LDAP. This applies both to the user under which the sudo runs (the value of the sudoRunas-attribute) and to the userid's that use SUDO. It is perfectly possible for a local user to use SUDO-authorizations that are managed via LDAP.
> Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
> Huibert Kivits
> -----Oorspronkelijk bericht-----
> Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Aaron Spangler
> Verzonden: woensdag 27 april 2005 18:10
> Aan: David Blackburn
> CC: sudo-users at sudo.ws
> Onderwerp: Re: [sudo-users] Ldap Groups
> The sudouser has syntax similar to the RFC2307 attributes.  It does not use the full LDAP Distringuished Name.
> Use the short username in the sudoUser attribute:
> sudoUser: unixuser1
> -or-
> sudoUser: %unixgroup1
> -or-
> sudoUser: +netgroup1
> The unixuser1, unixgroup1, or netgroup1 should be available from the servers perspective and do not necessarily need to exist in LDAP.  If they do exist in LDAP, then they should follow RFC2307 syntax.
> On 4/25/05, David Blackburn <hxor666 at gmail.com> wrote:
> > Hi
> >
> > I have Ldap sudo auth working, but I need to setup the sudoUser's into
> > groups, I have used the Posix users schema and point sudoUser to the
> > below.
> >
> > sudoUser points to
> > cn=memberUid,ou=sudoUserGroups,ou=sudoers,dc=blah,dc=net
> >
> > Where memberUid is the id of the users I want to use.  If I remove the
> > above and  put my user ID in this works.
> >
> > Please note I am quite new with ldap and my be missing something quite
> > basic.
> >
> > Thanks
> > Dave
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
> -----------------------------------------------------------------
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -----------------------------------------------------------------

More information about the sudo-users mailing list