[sudo-users] Transforming /etc/sudoers to LDAP/AD

Tue Jan 27 14:49:20 EST 2009

not sure if you resolved this.... we actually use an nfs share where we put our sudoers file.

We tested using Active Directory for user authentication.  In AD we had to put some kind of sudo object to make it work though!

________________________________
From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]
Sent: Tuesday, January 27, 2009 10:39 AM
To: Suj; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD

Where do we keep the sudoers file on windows??

I want to keep the sudoers file on windows LDAP, instead of LINUX so I can disable /etc/sudoers & /etc/group on every linux hosts.

How can windows read the sudoers file & authenticate accordingly??

Can I do this??

Advise???

Thank you all..

________________________________
From: Suj [mailto:sujnanshetty at gmail.com]
Sent: Tuesday, January 27, 2009 9:59 AM
To: Manjunatha, Jamuna; Russell Van Tassell; Radesh_Singh at ml.com; sudo-users at sudo.ws; Pidugu Vijaya
Subject: Re: [sudo-users] Transforming /etc/sudoers to LDAP/AD

It is not much different that assigning permissions based on groups. You just need to prepend the domain name before the group name, in the sudoers file. The user's AD group name is the group that needs to be named in the sudoers file.

It's all there in the documentation, you need to experiment with the sudoers file and convince yourself to read more ...

########################################################################
# Giving  grp1 group members all root privileges
%domain-name\\grp1 ALL=(ALL) ALL

# Giving "support" group limited access to root commands
%domain-name\\support ALL=(root) KILL, APACHE, !SU, !SCP, !BIN, !SHELL, MONITOR,\
          INSTALL, EDIT
########################################################################

-----------------------------------------------------------------------
On Mon, Jan 26, 2009 at 8:30 PM, Manjunatha, Jamuna <Jamuna.Manjunatha at ironmountain.com<mailto:Jamuna.Manjunatha at ironmountain.com>> wrote:

I am now logging into LINUX using LDAP/AD windows authentication.
Basically when I loginto LINUX I am logging using my windows authentication.
earlier I had created local users on Linux & sudo so I could do sudo & I was fine.

Now that I am authenticating to LINUX via windows LDAP/AD, How will the sudo work?
Should I create the sudo config  file on windows OR Once I am logged into LINUX (via
LDAP/AD authentication), use the existing /etc/sudoers file??

I am not sure how this sudo will work on LDAP/AD authentication.

I did look on-line, but I am not convinced I have a solution.

Thanks in advance

________________________________

The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse, copying, or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message.

________________________________
IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.