[sudo-users] Transforming /etc/sudoers to LDAP/AD

Singh, Radesh (GTS) Radesh_Singh at ml.com
Wed Jan 28 12:10:23 EST 2009

Sorry bro., I haven't used a centrally managed sudoers, let alone one
that is provided / facilitated using LDAP (AD or otherwise); however,
some of your questions seem like low hanging fruit ... I'll leave the
higher stuff to the pros ;0.


The sudoers2ldif script should be included in the tarball of sudo 1.7.0
you downloaded.

Not sure what you're asking with regard to whether it is necessary
convert the file to ldif format ... LDAP needs the records to be
converted to a format it understands.

Once you've got the LDIF definitions, you can import that.




Shawn Singh


(904) 218-4096


- My name ain't chump, it's <insert_name_here>


From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com] 
Sent: Wednesday, January 28, 2009 11:43 AM
To: Singh, Radesh (GTS); sudo-users at sudo.ws; Russell Van Tassell;
Vijaya.Pidugu at sig.com
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD
Importance: High


Hi All,


I need really some help...


I am still NOT clear on how we can import the /etc/sudoers file from
LINUX to windows AD/LDAP..


I am looking for that part..


The following link helps a little but does not Clearly say what to do
stepwise..sorry to be a pain..


All I need is the following:


1)  user login in to linux first using windows AD/LDAP authentication

2)  Next user has run sudo commands

3)  That should get logged


These all work fine if I have a local user on each server, but since I
am using LDAP I am going through this route now..


Which is where I got stuck..


I found this good article, but..




Importing /etc/sudoers to LDAP
Importing is a two step process.
Step 1:
Ask your LDAP Administrator where to create the ou=SUDOers container. -
This is easy.
For instance, if using OpenLDAP:
  dn: ou=SUDOers,dc=example,dc=com
  objectClass: top
  objectClass: organizationalUnit
  ou: SUDOers
(An example location is shown below).  Then use the provided script to
your sudoers file into LDIF format.  The script will also convert any
options.( where is this script located??)
Is this really necessary?? Can we just not a create a file with *.ldif
  # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
  # export SUDOERS_BASE
  # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
Step 2:
Import into your directory server. (Where exactly I need to import) If
you are using OpenLDAP, do the following
if you are using another directory, provide the LDIF file to your LDAP
Administrator.  An example is shown below.
  # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
  > -D cn=Manager,dc=example,dc=com -W -x


I am really stuck here..



Please help...







-----Original Message-----
From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com] 
Sent: Tuesday, January 27, 2009 10:22 AM
To: Manjunatha, Jamuna
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD


>From the sudo side of things, it'll be easy. You'll have sudo setup for

how your users "appear" to the system once authenticated.


e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you

were trying to give that group access in sudo, you could have

%unixuser-sysadmin ... in your sudoers to give them the ability to

perform privileged operations


Or if rsingh shows up as sysadmin you could have %sysadmin ... in your

sudoers file to give them the ability to perform privileged operations


Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh

in your sudoers


... you get the picture.


In my current work environment, we see our users show up in two ways.

We're using Vintella's VAS product to perform AD authentication for our

*nix accounts.


Shawn Singh


(904) 218-4096


- My name ain't chump, it's <insert_name_here>



-----Original Message-----

From: sudo-users-bounces at courtesan.com

[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha,


Sent: Monday, January 26, 2009 8:31 PM

To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws

Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS)

Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD


Hi everybody,


First of all thanks for the great input..


This is really great.


My next question is:


I am now logging into LINUX using LDAP/AD windows authentication.

Basically when I loginto LINUX I am logging using my windows



user name



works fine


Now I need to use sudo..


earlier I had created local users on Linux & sudo so I could do sudo & I

was fine.


Now that I am authenticating to LINUX via windows LDAP/AD, How will the

sudo work?


Should I create the sudo config  file on windows OR Once I am logged

into LINUX (via

LDAP/AD authentication), use the existing /etc/sudoers file??


I am not sure how this sudo will work on LDAP/AD authentication.


I did look on-line, but I am not convinced I have a solution.


Help Please....Apprecite your time....


Thanks in advance






From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com]

Sent: Mon 1/26/2009 3:06 PM

To: Manjunatha, Jamuna

Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws

Subject: Re: [sudo-users] I need help with sudoers..





It should be mentioned that there are alternatives to sudoshell, such as

osh... they're all third party projects, as far as I know, though.


Ideally, however, in my opinion it's often better to try to force "a

culture change" with how people use sudo... you should prevent access to

commands like "su" or anything where a shell can easily be obtained,

then ask folks to simple preface "sudo" on commands that need elevated



Yes, this tends to complicate the sudoers file a bit, and some would say

increases maintenance on it.  However, when you need to give basic users

some extra power without sacrificing overall host security, I believe

the benefits outweigh the shortcomings (and after a while, your sudoers

file will be built up nicely and really not require that much in the way

of changes and/or additions).


On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote:

> Yes, agreed...


> That is the only best option..


> Thanks a lot!!!


> ________________________________


> From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com]

> Sent: Sun 1/25/2009 9:11 AM

> To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws'

> Subject: Re: [sudo-users] I need help with sudoers..



> You cannot do this.  The only way to achieve this is by forcing the

user to use sudo in front of every command he or she needs to run as

root.  For that you have to prevent the user from getting root shell

which is pretty easy!



> ----- Original Message -----

> From: sudo-users-bounces at courtesan.com

<sudo-users-bounces at courtesan.com>

> To: Singh, Radesh (GTS) <Radesh_Singh at ml.com>; sudo-users at sudo.ws

<sudo-users at sudo.ws>

> Sent: Fri Jan 23 15:13:24 2009

> Subject: Re: [sudo-users] I need help with sudoers..


> I tried this, but I have linux so no luck...


> [...]


> -----Original Message-----

> From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]

> Sent: Thursday, January 22, 2009 12:41 PM

> To: Singh, Radesh (GTS); sudo-users at sudo.ws

> Subject: RE: [sudo-users] I need help with sudoers..


> [What changes I need to make in the /etc/sudoers file??]


> -----Original Message-----

> From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]

> Sent: Thursday, January 22, 2009 12:39 PM

> To: Manjunatha, Jamuna; sudo-users at sudo.ws

> Subject: RE: [sudo-users] I need help with sudoers..


> [sudoshell]


> -----Original Message-----

> From: sudo-users-bounces at courtesan.com

> Sent: Wednesday, January 21, 2009 12:06 PM

> To: sudo-users at sudo.ws

> Subject: [sudo-users] I need help with sudoers..


> Hi all,




> I am trying to setup a sudo..


> [How do I log commands from a shell?]




Russell M. Van Tassell

russell at loosenut.com


"Quick to judge, Quick to anger, slow to understand. Ignorance and

 prejudice and fear walk hand in hand."                       - N. Peart





The information contained in this email message and its attachments

is intended

only for the private and confidential use of the recipient(s) named

above, unless the sender expressly agrees otherwise. Transmission

of email over the Internet

 is not a secure communications medium. If you are requesting or

have requested

the transmittal of personal data, as defined in applicable privacy

laws by means

 of email or in an attachment to email you must select a more

secure alternate means of transmittal that supports your

obligations to protect such personal data. If the reader of this

message is not the intended recipient and/or you have received this

email in error, you must take no action based on the information in

this email and you are hereby notified that any dissemination,

misuse, copying, or disclosure of this communication is strictly

prohibited. If you have received

this communication in error, please notify us immediately by email

and delete the original message.


sudo-users mailing list <sudo-users at sudo.ws>

For list information, options, or to unsubscribe, visit:




This message w/attachments (message) may be privileged, confidential or
proprietary, and if you are not an intended recipient, please notify the
sender, do not use or share it and delete it. Unless specifically
indicated, this message is not an offer to sell or a solicitation of any
investment products or other financial product or service, an official
confirmation of any transaction, or an official statement of Merrill
Lynch. Subject to applicable law, Merrill Lynch may monitor, review and
retain e-communications (EC) traveling through its networks/systems. The
laws of the country of each sender/recipient may impact the handling of
EC, and EC may be archived, supervised and produced in countries other
than the country in which you are located. This message cannot be
guaranteed to be secure or error-free. References to "Merrill Lynch" are
references to any company in the Merrill Lynch & Co., Inc. group of
companies, which are wholly-owned by Bank of America Corporation.
Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank
Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a
Condition to Any Banking Service or Activity * Are Not Insured by Any
Federal Government Agency. Attachments that are part of this
E-communication may have additional important disclosures and
disclaimers, which you should read. This message is subject to terms
available at the following link:
http://www.ml.com/e-communications_terms/. By messaging with Merrill
Lynch you consent to the foregoing.



More information about the sudo-users mailing list