[sudo-users] ldap sudo different command list on different servers

Charles Marshall charles at wozi.com
Wed May 21 13:29:23 EDT 2008 

Athira,
I have LDAP autentication, a local sudoers file and use netgroups out  
of ldap.  An excerpt from the file looks like this:

## Command Aliases

# Allow users to manipulate files
Cmnd_Alias MANIP_FILES = /bin/cp, /bin/mv, /bin/rm, /bin/chmod, /bin/ 
mkdir

# Allow users to edit files
Cmnd_Alias EDIT_FILES = sudoedit

# Allow users to manage
Cmnd_Alias HDI_MANAGE = /bin/kill

# Alias for hdidevel group to do things, and become the hdi user
Runas_Alias     HDI = hdiadmin
%hdiops		+hdiprod = (HDI) MANIP_FILES, HDI_MANAGE, EDIT_FILES

This means anyone in the "hdiops" group (which you can then pull from  
ldap) can do anything defined in the various definitions on the  
servers defined in the "hdiprod" net group in ldap as the user  
hdiadmin.  If you look at (http://www.linux.com/articles/113679) there  
are examples of how to get netgroups working in linux (though I must  
be honest we used another document to set it up which I can't find  
right now).

I know it's kinda complicated, but it works pretty well, also it  
should be noted that later on when you are defining the net group  
triples, if your servers hostname is the FQDN of the server you will  
have to define it as such (server01.prod.d.com,,) as it looks like  
sudo, at least the version I have, ignores the domain definition in  
the triple.

Hope this helps,
CS


On May 21, 2008, at 8:08 AM, Barron, Danny wrote:
> Netgroups perhaps or host designation in the sudoers rule.
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Athira C
> Sent: Wednesday, May 21, 2008 12:33 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] ldap sudo different command list on different
> servers
>
> Hello,
>
>
>
>      Does anyone know a method to use a common ldap server and then
> have different sudoCommand list for different servers? For example,  
> if I
> have two servers A and B and want to give a user 'ldapuser' the
> permissions to execute a list of commands (list1) in server A and a
> different list of commands (list2) in server B, then, can this be
> accomplished? If so, how?
> Both the servers A and B use a common ldap server. Any assistance is
> appreciated.
>
>
>
> Thank you.
>
>
>
> Regards,
>
> Athira.
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information,
> options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list