[sudo-users] Transforming /etc/sudoers to LDAP/AD

Russell Van Tassell russell+sudo-users at loosenut.com
Wed Jan 28 17:37:47 EST 2009


On Wed, Jan 28, 2009 at 12:31:18PM -0500, Manjunatha, Jamuna wrote:
> > you will have to compile your sudo to avoid the default /etc location
> > for sudoers.
> 
> Can you please detail on how to do this on windows AD/LDAP server??
>
> Thanks so much!!!!

To be clear, here... Vijaya was talking about a NFS solution, *NOT* the
LDAP solution you are asking about... in my opinion, that solution is
NOT for everyone (though probably works just fine in a stable 24/7 type
environment).

If you don't understand that particular (NFS) solution as-written, I'd
not recommend trying it, myself (ie. there are a few pitfalls for the
unwary).


BTW, the README.LDAP file would appear to be a good reference for
converting your sudoers in to LDAP format... perhaps if you're more
specific about your questions, someone here can help you -- otherwise,
I'll afraid to say you might be stuck with the docs.

	http://www.sudo.ws/sudo/readme_ldap.html


Barring either NFS or LDAP, above... I've also used cfengine and/or
puppet to push out changes to sudoers files over large numbers of
machines.  The side-effect, here, is that you'll have to effectively
roll-out a new client to each-and-every host you want to support...
it's probably not a small undertaking, especially if you're not already
doing or planning some host/config file synchronization across your
organization.  In case you want more info, here's one comparison of the
two (from puppet's standpoint, at least):

	http://reductivelabs.com/trac/puppet/wiki/CfengineVsPuppet


Hope that helps!
Russell


-- 
Russell M. Van Tassell
russell at loosenut.com

Documentation is like sex: when it is good, it is very, very good; and
when it is bad, it is better than nothing.               -- Dick Brandon



More information about the sudo-users mailing list