[sudo-users] Transforming /etc/sudoers to LDAP/AD
Pidugu Vijaya
Vijaya.Pidugu at sig.com
Wed Jan 28 12:27:59 EST 2009
We use the centrall managed sudoers for over 3000 servers and it works... we have it on one of the NFS mounted shares. Of course, you will have to compile your sudo to avoid the default /etc location for sudoers.
________________________________
From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]
Sent: Wednesday, January 28, 2009 12:10 PM
To: Manjunatha, Jamuna; sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD
Sorry bro., I haven't used a centrally managed sudoers, let alone one that is provided / facilitated using LDAP (AD or otherwise); however, some of your questions seem like low hanging fruit ... I'll leave the higher stuff to the pros ;0.
The sudoers2ldif script should be included in the tarball of sudo 1.7.0 you downloaded.
Not sure what you're asking with regard to whether it is necessary convert the file to ldif format ... LDAP needs the records to be converted to a format it understands.
Once you've got the LDIF definitions, you can import that.
Thanks,
Shawn Singh
NJUNIX/GWM UNIX
(904) 218-4096
- My name ain't chump, it's <insert_name_here>
From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]
Sent: Wednesday, January 28, 2009 11:43 AM
To: Singh, Radesh (GTS); sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD
Importance: High
Hi All,
I need really some help...
I am still NOT clear on how we can import the /etc/sudoers file from LINUX to windows AD/LDAP..
I am looking for that part..
The following link helps a little but does not Clearly say what to do stepwise..sorry to be a pain..
All I need is the following:
1) user login in to linux first using windows AD/LDAP authentication
2) Next user has run sudo commands
3) That should get logged
These all work fine if I have a local user on each server, but since I am using LDAP I am going through this route now..
Which is where I got stuck..
I found this good article, but..
http://www.sudo.ws/sudo/readme_ldap.html
Importing /etc/sudoers to LDAP
==============================
Importing is a two step process.
Step 1:
Ask your LDAP Administrator where to create the ou=SUDOers container. - This is easy.
For instance, if using OpenLDAP:
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
(An example location is shown below). Then use the provided script to convert
your sudoers file into LDIF format. The script will also convert any default
options.( where is this script located??)
Is this really necessary?? Can we just not a create a file with *.ldif extension?
# SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
# export SUDOERS_BASE
# ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
Step 2:
Import into your directory server. (Where exactly I need to import) If you are using OpenLDAP, do the following
if you are using another directory, provide the LDIF file to your LDAP
Administrator. An example is shown below.
# ldapadd -f /tmp/sudoers.ldif -h ldapserver \
> -D cn=Manager,dc=example,dc=com -W -x
I am really stuck here..
Please help...
Thanks
Jamuna
-----Original Message-----
From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]
Sent: Tuesday, January 27, 2009 10:22 AM
To: Manjunatha, Jamuna
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD
>From the sudo side of things, it'll be easy. You'll have sudo setup for
how your users "appear" to the system once authenticated.
e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you
were trying to give that group access in sudo, you could have
%unixuser-sysadmin ... in your sudoers to give them the ability to
perform privileged operations
Or if rsingh shows up as sysadmin you could have %sysadmin ... in your
sudoers file to give them the ability to perform privileged operations
Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh
in your sudoers
... you get the picture.
In my current work environment, we see our users show up in two ways.
We're using Vintella's VAS product to perform AD authentication for our
*nix accounts.
Shawn Singh
NJUNIX/GWM UNIX
(904) 218-4096
- My name ain't chump, it's <insert_name_here>
-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha,
Jamuna
Sent: Monday, January 26, 2009 8:31 PM
To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws
Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS)
Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD
Hi everybody,
First of all thanks for the great input..
This is really great.
My next question is:
I am now logging into LINUX using LDAP/AD windows authentication.
Basically when I loginto LINUX I am logging using my windows
authentication.
user name
password
works fine
Now I need to use sudo..
earlier I had created local users on Linux & sudo so I could do sudo & I
was fine.
Now that I am authenticating to LINUX via windows LDAP/AD, How will the
sudo work?
Should I create the sudo config file on windows OR Once I am logged
into LINUX (via
LDAP/AD authentication), use the existing /etc/sudoers file??
I am not sure how this sudo will work on LDAP/AD authentication.
I did look on-line, but I am not convinced I have a solution.
Help Please....Apprecite your time....
Thanks in advance
________________________________
From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com]
Sent: Mon 1/26/2009 3:06 PM
To: Manjunatha, Jamuna
Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws
Subject: Re: [sudo-users] I need help with sudoers..
It should be mentioned that there are alternatives to sudoshell, such as
osh... they're all third party projects, as far as I know, though.
Ideally, however, in my opinion it's often better to try to force "a
culture change" with how people use sudo... you should prevent access to
commands like "su" or anything where a shell can easily be obtained,
then ask folks to simple preface "sudo" on commands that need elevated
privileges.
Yes, this tends to complicate the sudoers file a bit, and some would say
increases maintenance on it. However, when you need to give basic users
some extra power without sacrificing overall host security, I believe
the benefits outweigh the shortcomings (and after a while, your sudoers
file will be built up nicely and really not require that much in the way
of changes and/or additions).
On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote:
> Yes, agreed...
>
> That is the only best option..
>
> Thanks a lot!!!
>
> ________________________________
>
> From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com]
> Sent: Sun 1/25/2009 9:11 AM
> To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws'
> Subject: Re: [sudo-users] I need help with sudoers..
>
>
> You cannot do this. The only way to achieve this is by forcing the
user to use sudo in front of every command he or she needs to run as
root. For that you have to prevent the user from getting root shell
which is pretty easy!
>
>
> ----- Original Message -----
> From: sudo-users-bounces at courtesan.com
<sudo-users-bounces at courtesan.com>
> To: Singh, Radesh (GTS) <Radesh_Singh at ml.com>; sudo-users at sudo.ws
<sudo-users at sudo.ws>
> Sent: Fri Jan 23 15:13:24 2009
> Subject: Re: [sudo-users] I need help with sudoers..
>
> I tried this, but I have linux so no luck...
>
> [...]
>
> -----Original Message-----
> From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]
> Sent: Thursday, January 22, 2009 12:41 PM
> To: Singh, Radesh (GTS); sudo-users at sudo.ws
> Subject: RE: [sudo-users] I need help with sudoers..
>
> [What changes I need to make in the /etc/sudoers file??]
>
> -----Original Message-----
> From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]
> Sent: Thursday, January 22, 2009 12:39 PM
> To: Manjunatha, Jamuna; sudo-users at sudo.ws
> Subject: RE: [sudo-users] I need help with sudoers..
>
> [sudoshell]
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> Sent: Wednesday, January 21, 2009 12:06 PM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] I need help with sudoers..
>
> Hi all,
>
>
>
> I am trying to setup a sudo..
>
> [How do I log commands from a shell?]
--
Russell M. Van Tassell
russell at loosenut.com
"Quick to judge, Quick to anger, slow to understand. Ignorance and
prejudice and fear walk hand in hand." - N. Peart
The information contained in this email message and its attachments
is intended
only for the private and confidential use of the recipient(s) named
above, unless the sender expressly agrees otherwise. Transmission
of email over the Internet
is not a secure communications medium. If you are requesting or
have requested
the transmittal of personal data, as defined in applicable privacy
laws by means
of email or in an attachment to email you must select a more
secure alternate means of transmittal that supports your
obligations to protect such personal data. If the reader of this
message is not the intended recipient and/or you have received this
email in error, you must take no action based on the information in
this email and you are hereby notified that any dissemination,
misuse, copying, or disclosure of this communication is strictly
prohibited. If you have received
this communication in error, please notify us immediately by email
and delete the original message.
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
--------------------------------------------------------------------------
This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------------------------
________________________________
IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.
More information about the sudo-users
mailing list