[sudo-users] sudo on LDAP running commands as multiple-users

Edward Capriolo edlinuxguru at gmail.com
Tue Oct 20 11:09:27 EDT 2009

On Mon, Oct 19, 2009 at 9:23 PM, Tony G. <tonysk8 at gmx.net> wrote:
> Hi, I have sudo running on openldap and found that some sudo rules more
> elaborated are probably not working as expected, wondering if any of you
> have been able to solve this.
> This is the rule I want to implement
> %www ALL = (www) ALL, (root) /bin/su www
> On LDAP the entry is:
> dn: cn=%www,ou=sudoers,dc=example,dc=com
> cn: www
> cn: %www
> sudoHost: ALL
> sudoUser: %www
> objectClass: sudoRole
> objectClass: top
> sudoCommand: (root) /bin/su www
> sudoCommand: (www) ALL
> This rule does not work, but I'm able to mimic some functionality:
> 1st Option, The (www) ALL
> sudoCommand: ALL
> sudoRunAs: www
> *But you are not able to switch to www user.
> 2nd Option, The (root) /bin/su www
> sudoCommand: /bin/su www
> sudoRunAs: root
> *But you are not able to run sudo as www user.
> I see that the (runas) COMMAND format is not working as I set:
> sudoCommand: (root) /bin/su www
> sudoRunAs: <EMPTY>
> And I'm not able to run /bin/su www
> Thanks for your Help in Advance.
> --
> Tony
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users


Your problem is you are not specifying the LDAP objects correctly. You
are going to need two objects in the end.

First is www a user or is www a group?

if user
sudoUser: www

if group
sudoUser: %www

Secondly your sudoCommand is wrong

sudoCommand: (root) /bin/su www

Should be
sudoCommand:  /bin/su www
sudoRunAs: root

sudoRunAs: root is the default

What you might want is this:

This lets www run all commands with sudo.

dn: cn=www,ou=sudoers,dc=example,dc=com
cn: www
sudoHost: ALL
sudoUser: www
objectClass: sudoRole
objectClass: top
sudoCommand:  ALL

Usually root has all sudo.

dn: cn=root,ou=sudoers,dc=example,dc=com
cn: root
sudoHost: ALL
sudoUser: root
objectClass: sudoRole
objectClass: top
sudoCommand:  ALL

Good luck!

More information about the sudo-users mailing list