[sudo-users] Transforming /etc/sudoers to LDAP/AD

Pidugu Vijaya Vijaya.Pidugu at sig.com
Wed Jan 28 12:27:59 EST 2009


We use the centrall managed sudoers for over 3000 servers and it works... we have it on one of the NFS mounted shares.  Of course, you will have to compile your sudo to avoid the default /etc location for sudoers.

________________________________
From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]
Sent: Wednesday, January 28, 2009 12:10 PM
To: Manjunatha, Jamuna; sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD

Sorry bro., I haven't used a centrally managed sudoers, let alone one that is provided / facilitated using LDAP (AD or otherwise); however, some of your questions seem like low hanging fruit ... I'll leave the higher stuff to the pros ;0.

The sudoers2ldif script should be included in the tarball of sudo 1.7.0 you downloaded.
Not sure what you're asking with regard to whether it is necessary convert the file to ldif format ... LDAP needs the records to be converted to a format it understands.
Once you've got the LDIF definitions, you can import that.

Thanks,

Shawn Singh
NJUNIX/GWM UNIX
(904) 218-4096

- My name ain't chump, it's <insert_name_here>

From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]
Sent: Wednesday, January 28, 2009 11:43 AM
To: Singh, Radesh (GTS); sudo-users at sudo.ws; Russell Van Tassell; Vijaya.Pidugu at sig.com
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD
Importance: High


Hi All,



I need really some help...



I am still NOT clear on how we can import the /etc/sudoers file from LINUX to windows AD/LDAP..



I am looking for that part..



The following link helps a little but does not Clearly say what to do stepwise..sorry to be a pain..



All I need is the following:



1)  user login in to linux first using windows AD/LDAP authentication

2)  Next user has run sudo commands

3)  That should get logged



These all work fine if I have a local user on each server, but since I am using LDAP I am going through this route now..



Which is where I got stuck..



I found this good article, but..



http://www.sudo.ws/sudo/readme_ldap.html



Importing /etc/sudoers to LDAP

==============================

Importing is a two step process.



Step 1:

Ask your LDAP Administrator where to create the ou=SUDOers container. - This is easy.



For instance, if using OpenLDAP:



  dn: ou=SUDOers,dc=example,dc=com

  objectClass: top

  objectClass: organizationalUnit

  ou: SUDOers



(An example location is shown below).  Then use the provided script to convert

your sudoers file into LDIF format.  The script will also convert any default

options.( where is this script located??)



Is this really necessary?? Can we just not a create a file with *.ldif extension?



  # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com

  # export SUDOERS_BASE

  # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif



Step 2:

Import into your directory server. (Where exactly I need to import) If you are using OpenLDAP, do the following

if you are using another directory, provide the LDIF file to your LDAP

Administrator.  An example is shown below.



  # ldapadd -f /tmp/sudoers.ldif -h ldapserver \

  > -D cn=Manager,dc=example,dc=com -W -x



I am really stuck here..





Please help...



Thanks



Jamuna





-----Original Message-----
From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]
Sent: Tuesday, January 27, 2009 10:22 AM
To: Manjunatha, Jamuna
Cc: sudo-users at sudo.ws
Subject: RE: [sudo-users] Transforming /etc/sudoers to LDAP/AD



>From the sudo side of things, it'll be easy. You'll have sudo setup for

how your users "appear" to the system once authenticated.



e.g. if rsingh shows up as being in the group unixuser-sysadmin, and you

were trying to give that group access in sudo, you could have

%unixuser-sysadmin ... in your sudoers to give them the ability to

perform privileged operations



Or if rsingh shows up as sysadmin you could have %sysadmin ... in your

sudoers file to give them the ability to perform privileged operations



Or if rsingh shows up as unixuser-rsingh, you could have unixuser-rsingh

in your sudoers



... you get the picture.



In my current work environment, we see our users show up in two ways.

We're using Vintella's VAS product to perform AD authentication for our

*nix accounts.



Shawn Singh

NJUNIX/GWM UNIX

(904) 218-4096



- My name ain't chump, it's <insert_name_here>





-----Original Message-----

From: sudo-users-bounces at courtesan.com

[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Manjunatha,

Jamuna

Sent: Monday, January 26, 2009 8:31 PM

To: Russell Van Tassell; Singh, Radesh (GTS); sudo-users at sudo.ws

Cc: sudo-users at sudo.ws; Pidugu Vijaya; Singh, Radesh (GTS)

Subject: [sudo-users] Transforming /etc/sudoers to LDAP/AD



Hi everybody,



First of all thanks for the great input..



This is really great.



My next question is:



I am now logging into LINUX using LDAP/AD windows authentication.

Basically when I loginto LINUX I am logging using my windows

authentication.



user name

password



works fine



Now I need to use sudo..



earlier I had created local users on Linux & sudo so I could do sudo & I

was fine.



Now that I am authenticating to LINUX via windows LDAP/AD, How will the

sudo work?



Should I create the sudo config  file on windows OR Once I am logged

into LINUX (via

LDAP/AD authentication), use the existing /etc/sudoers file??



I am not sure how this sudo will work on LDAP/AD authentication.



I did look on-line, but I am not convinced I have a solution.



Help Please....Apprecite your time....



Thanks in advance







________________________________



From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com]

Sent: Mon 1/26/2009 3:06 PM

To: Manjunatha, Jamuna

Cc: Pidugu Vijaya; Radesh_Singh at ml.com; sudo-users at sudo.ws

Subject: Re: [sudo-users] I need help with sudoers..









It should be mentioned that there are alternatives to sudoshell, such as

osh... they're all third party projects, as far as I know, though.



Ideally, however, in my opinion it's often better to try to force "a

culture change" with how people use sudo... you should prevent access to

commands like "su" or anything where a shell can easily be obtained,

then ask folks to simple preface "sudo" on commands that need elevated

privileges.



Yes, this tends to complicate the sudoers file a bit, and some would say

increases maintenance on it.  However, when you need to give basic users

some extra power without sacrificing overall host security, I believe

the benefits outweigh the shortcomings (and after a while, your sudoers

file will be built up nicely and really not require that much in the way

of changes and/or additions).



On Sun, Jan 25, 2009 at 12:22:21PM -0500, Manjunatha, Jamuna wrote:

> Yes, agreed...

>

> That is the only best option..

>

> Thanks a lot!!!

>

> ________________________________

>

> From: Pidugu Vijaya [mailto:Vijaya.Pidugu at sig.com]

> Sent: Sun 1/25/2009 9:11 AM

> To: Manjunatha, Jamuna; 'Radesh_Singh at ml.com'; 'sudo-users at sudo.ws'

> Subject: Re: [sudo-users] I need help with sudoers..

>

>

> You cannot do this.  The only way to achieve this is by forcing the

user to use sudo in front of every command he or she needs to run as

root.  For that you have to prevent the user from getting root shell

which is pretty easy!

>

>

> ----- Original Message -----

> From: sudo-users-bounces at courtesan.com

<sudo-users-bounces at courtesan.com>

> To: Singh, Radesh (GTS) <Radesh_Singh at ml.com>; sudo-users at sudo.ws

<sudo-users at sudo.ws>

> Sent: Fri Jan 23 15:13:24 2009

> Subject: Re: [sudo-users] I need help with sudoers..

>

> I tried this, but I have linux so no luck...

>

> [...]

>

> -----Original Message-----

> From: Manjunatha, Jamuna [mailto:Jamuna.Manjunatha at ironmountain.com]

> Sent: Thursday, January 22, 2009 12:41 PM

> To: Singh, Radesh (GTS); sudo-users at sudo.ws

> Subject: RE: [sudo-users] I need help with sudoers..

>

> [What changes I need to make in the /etc/sudoers file??]

>

> -----Original Message-----

> From: Singh, Radesh (GTS) [mailto:Radesh_Singh at ml.com]

> Sent: Thursday, January 22, 2009 12:39 PM

> To: Manjunatha, Jamuna; sudo-users at sudo.ws

> Subject: RE: [sudo-users] I need help with sudoers..

>

> [sudoshell]

>

> -----Original Message-----

> From: sudo-users-bounces at courtesan.com

> Sent: Wednesday, January 21, 2009 12:06 PM

> To: sudo-users at sudo.ws

> Subject: [sudo-users] I need help with sudoers..

>

> Hi all,

>

>

>

> I am trying to setup a sudo..

>

> [How do I log commands from a shell?]





--

Russell M. Van Tassell

russell at loosenut.com



"Quick to judge, Quick to anger, slow to understand. Ignorance and

 prejudice and fear walk hand in hand."                       - N. Peart









The information contained in this email message and its attachments

is intended

only for the private and confidential use of the recipient(s) named

above, unless the sender expressly agrees otherwise. Transmission

of email over the Internet

 is not a secure communications medium. If you are requesting or

have requested

the transmittal of personal data, as defined in applicable privacy

laws by means

 of email or in an attachment to email you must select a more

secure alternate means of transmittal that supports your

obligations to protect such personal data. If the reader of this

message is not the intended recipient and/or you have received this

email in error, you must take no action based on the information in

this email and you are hereby notified that any dissemination,

misuse, copying, or disclosure of this communication is strictly

prohibited. If you have received

this communication in error, please notify us immediately by email

and delete the original message.

____________________________________________________________

sudo-users mailing list <sudo-users at sudo.ws>

For list information, options, or to unsubscribe, visit:

http://www.sudo.ws/mailman/listinfo/sudo-users



--------------------------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. References to "Merrill Lynch" are references to any company in the Merrill Lynch & Co., Inc. group of companies, which are wholly-owned by Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this E-communication may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.

--------------------------------------------------------------------------



________________________________
IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.



More information about the sudo-users mailing list