[sudo-users] Transforming /etc/sudoers to LDAP/AD

Manjunatha, Jamuna Jamuna.Manjunatha at ironmountain.com
Mon Jan 26 20:30:43 EST 2009 

Hi everybody,
 
First of all thanks for the great input..
 
This is really great.
 
My next question is:
 
I am now logging into LINUX using LDAP/AD windows authentication.
Basically when I loginto LINUX I am logging using my windows authentication.
 
user name
password
 
works fine
 
Now I need to use sudo..
 
earlier I had created local users on Linux & sudo so I could do sudo & I was fine.
 
Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work?
 
Should I create the sudo config  file on windows OR Once I am logged into LINUX (via
LDAP/AD authentication), use the existing /etc/sudoers file??
 
I am not sure how this sudo will work on LDAP/AD authentication.
 
I did look on-line, but I am not convinced I have a solution.
 
Help Please....Apprecite your time....
 
Thanks in advance
 
 

________________________________

From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com]
Sent: Mon 1/26/2009 3:06 PM
To: Manjunatha, Jamuna
Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws
Subject: Re: [sudo-users] I need help with sudoers..




It should be mentioned that there are alternatives to sudoshell, such as
osh... they're all third party projects, as far as I know, though.

Ideally, however, in my opinion it's often better to try to force "a
culture change" with how people use sudo... you should prevent access to
commands like "su" or anything where a shell can easily be obtained,
then ask folks to simple preface "sudo" on commands that need elevated
privileges.

Yes, this tends to complicate the sudoers file a bit, and some would say
increases maintenance on it.  However, when you need to give basic users
some extra power without sacrificing overall host security, I believe
the benefits outweigh the shortcomings (and after a while, your sudoers
file will be built up nicely and really not require that much in the way
of changes and/or additions).

On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote:
> Yes, agreed...
> 
> That is the only best option..
> 
> Thanks a lot!!!
>
> ________________________________
>
> From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com]
> Sent: Sun 1/25/2009 9:11 AM
> To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws'
> Subject: Re: [sudo-users] I need help with sudoers..
>
>
> You cannot do this.  The only way to achieve this is by forcing the user to use sudo in front of every command he or she needs to run as root.  For that you have to prevent the user from getting root shell which is pretty easy!
>
>
> ----- Original Message -----
> From: sudo-users-bounces at courtesan.com <sudo-users-bounces at courtesan.com>
> To: Singh, Radesh (GTS) <Radesh_Singh at ml.com>; sudo-users at sudo.ws <sudo-users at sudo.ws>
> Sent: Fri Jan 23 15:13:24 2009
> Subject: Re: [sudo-users] I need help with sudoers..
>
> I tried this, but I have linux so no luck...
>
> [...]
>
> -----Original Message-----
> From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]
> Sent: Thursday, January 22, 2009 12:41 PM
> To: Singh, Radesh (GTS); sudo-users at sudo.ws
> Subject: RE: [sudo-users] I need help with sudoers..
>
> [What changes I need to make in the /etc/sudoers file??]
>
> -----Original Message-----
> From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]
> Sent: Thursday, January 22, 2009 12:39 PM
> To: Manjunatha, Jamuna; sudo-users at sudo.ws
> Subject: RE: [sudo-users] I need help with sudoers..
>
> [sudoshell]
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> Sent: Wednesday, January 21, 2009 12:06 PM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] I need help with sudoers..
>
> Hi all,
>
>
>
> I am trying to setup a sudo..
>
> [How do I log commands from a shell?]


--
Russell M. Van Tassell
russell at loosenut.com

"Quick to judge, Quick to anger, slow to understand. Ignorance and
 prejudice and fear walk hand in hand."                       - N. Peart




The information contained in this email message and its attachments
is intended
only for the private and confidential use of the recipient(s) named
above, unless the sender expressly agrees otherwise. Transmission
of email over the Internet
 is not a secure communications medium. If you are requesting or
have requested
the transmittal of personal data, as defined in applicable privacy
laws by means
 of email or in an attachment to email you must select a more
secure alternate means of transmittal that supports your
obligations to protect such personal data. If the reader of this
message is not the intended recipient and/or you have received this
email in error, you must take no action based on the information in
this email and you are hereby notified that any dissemination,
misuse, copying, or disclosure of this communication is strictly
prohibited. If you have received
this communication in error, please notify us immediately by email
and delete the original message.

More information about the sudo-users mailing list