[sudo-users] Transforming /etc/sudoers to LDAP/AD

Singh, Radesh (GTS) Radesh_Singh at ml.com
Tue Jan 27 10:22:21 EST 2009

>From the sudo side of things, it'll be easy. You'll have sudo setup for
how your users "appear" to the system once authenticated.

e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you
were trying to give that group access in sudo, you could have
%unixuser-sysadmin ... in your sudoers to give them the ability to
perform privileged operations

Or if rsingh shows up as sysadmin you could have %sysadmin ... in your
sudoers file to give them the ability to perform privileged operations

Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh
in your sudoers

... you get the picture.

In my current work environment, we see our users show up in two ways.
We're using Vintella's VAS product to perform AD authentication for our
*nix accounts.

Shawn Singh
(904) 218-4096

- My name ain't chump, it's <insert_name_here>

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha,
Sent: Monday, January 26, 2009 8:31 PM
To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws
Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS)
Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD

Hi everybody,
First of all thanks for the great input..
This is really great.
My next question is:
I am now logging into LINUX using LDAP/AD windows authentication.
Basically when I loginto LINUX I am logging using my windows
user name
works fine
Now I need to use sudo..
earlier I had created local users on Linux & sudo so I could do sudo & I
was fine.
Now that I am authenticating to LINUX via windows LDAP/AD, How will the
sudo work?
Should I create the sudo config  file on windows OR Once I am logged
into LINUX (via
LDAP/AD authentication), use the existing /etc/sudoers file??
I am not sure how this sudo will work on LDAP/AD authentication.
I did look on-line, but I am not convinced I have a solution.
Help Please....Apprecite your time....
Thanks in advance


From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com]
Sent: Mon 1/26/2009 3:06 PM
To: Manjunatha, Jamuna
Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws
Subject: Re: [sudo-users] I need help with sudoers..

It should be mentioned that there are alternatives to sudoshell, such as
osh... they're all third party projects, as far as I know, though.

Ideally, however, in my opinion it's often better to try to force "a
culture change" with how people use sudo... you should prevent access to
commands like "su" or anything where a shell can easily be obtained,
then ask folks to simple preface "sudo" on commands that need elevated

Yes, this tends to complicate the sudoers file a bit, and some would say
increases maintenance on it.  However, when you need to give basic users
some extra power without sacrificing overall host security, I believe
the benefits outweigh the shortcomings (and after a while, your sudoers
file will be built up nicely and really not require that much in the way
of changes and/or additions).

On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote:
> Yes, agreed...
> That is the only best option..
> Thanks a lot!!!
> ________________________________
> From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com]
> Sent: Sun 1/25/2009 9:11 AM
> To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws'
> Subject: Re: [sudo-users] I need help with sudoers..
> You cannot do this.  The only way to achieve this is by forcing the
user to use sudo in front of every command he or she needs to run as
root.  For that you have to prevent the user from getting root shell
which is pretty easy!
> ----- Original Message -----
> From: sudo-users-bounces at courtesan.com
<sudo-users-bounces at courtesan.com>
> To: Singh, Radesh (GTS) <Radesh_Singh at ml.com>; sudo-users at sudo.ws
<sudo-users at sudo.ws>
> Sent: Fri Jan 23 15:13:24 2009
> Subject: Re: [sudo-users] I need help with sudoers..
> I tried this, but I have linux so no luck...
> [...]
> -----Original Message-----
> From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]
> Sent: Thursday, January 22, 2009 12:41 PM
> To: Singh, Radesh (GTS); sudo-users at sudo.ws
> Subject: RE: [sudo-users] I need help with sudoers..
> [What changes I need to make in the /etc/sudoers file??]
> -----Original Message-----
> From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]
> Sent: Thursday, January 22, 2009 12:39 PM
> To: Manjunatha, Jamuna; sudo-users at sudo.ws
> Subject: RE: [sudo-users] I need help with sudoers..
> [sudoshell]
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> Sent: Wednesday, January 21, 2009 12:06 PM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] I need help with sudoers..
> Hi all,
> I am trying to setup a sudo..
> [How do I log commands from a shell?]

Russell M. Van Tassell
russell at loosenut.com

"Quick to judge, Quick to anger, slow to understand. Ignorance and
 prejudice and fear walk hand in hand."                       - N. Peart

The information contained in this email message and its attachments
is intended
only for the private and confidential use of the recipient(s) named
above, unless the sender expressly agrees otherwise. Transmission
of email over the Internet
 is not a secure communications medium. If you are requesting or
have requested
the transmittal of personal data, as defined in applicable privacy
laws by means
 of email or in an attachment to email you must select a more
secure alternate means of transmittal that supports your
obligations to protect such personal data. If the reader of this
message is not the intended recipient and/or you have received this
email in error, you must take no action based on the information in
this email and you are hereby notified that any dissemination,
misuse, copying, or disclosure of this communication is strictly
prohibited. If you have received
this communication in error, please notify us immediately by email
and delete the original message.
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.

More information about the sudo-users mailing list