[sudo-users] sudoers in ldap

Edward Capriolo edlinuxguru at gmail.com
Mon Nov 1 18:48:39 EDT 2010 

You can use netgroups but you can also specify muliple. Sudohost or
even * in sudo ldap. In fact each of the fields sudouser sudogroup
sudo host and sudocommand can be specified multiple times.

Sudouser: ed
Sudocmd:all
Sudohost: web*

Or

Sudouser:ed
Sudouser:%admin
Sudohost:web1
Sudohost:web2
Sudocommand:all

As the previous poster pointed out netgroups are flexible because you
can have groups of groups. However if you flatten you recursive groups
into lists you have the same affect.

On Friday, October 29, 2010, Jan-Frode Myklebust <mykleb at no.ibm.com> wrote:
> On 2010-10-28, Woodward, Andrew <andreww at telenav.com> wrote:
>>
>> I'm wondering if there is some shortcut method to performing this now that
>> the sudoers is centralized in LDAP without having to create separate sets of
>> sudoers records and groups for each silo (there are currently 6 defined,
>> with 5 levels of access == mess of ~144 points of management)
>>
>
> Not quite sure I understand what a "silo" is, but it sounds like a
> group of servers. So have you considered using netgroups (also in
> LDAP) and grant access per netgroup ?
>
> We use netgroups both for users and hosts. Example sudo-entry:
>
> $ ldapsearch  -h sim2.example.net -b dc=example,dc=net -x "(cn=nocdrift-at-dnsservere)"
>         dn: cn=nocdrift-at-dnsservere,ou=SUDOers,dc=example,dc=net
>         sudoHost: +dnsservers
>         sudoUser: +u_nocdrift
>         sudoRunAs: root
>         sudoCommand: /sbin/service
>         sudoCommand: /bin/kill
>         objectClass: top
>         objectClass: sudoRole
>         sudoOption: !authenticate
>         cn: nocdrift-at-dnsservere
>
> $ getent netgroup dnsservers
> dnsservers            (m1ns1.example.net, , ) (m1ns2.example.net, , ) (ns1m.example.net, , ) (ns2m.example.net, , ) (ns2mgmt.mro.example.net, , ) (ns1ext.example.net, , ) (ns2ext.example.net, , ) (bpf, , ) (ns1mgmt.ulh.example.net, , ) (ns1tv.mro.example.net, , ) (ns2tv.ulh.example.net, , ) (ns2voip.ulh.example.net, , ) (ns1voip.mro.example.net, , ) (ns1ispdk.example.net, , ) (ns2ispdk.example.net, , ) (ns1isp.mro, , ) (ns2isp.ulh, , )
>
> $ getent netgroup u_nocdrift
> u_nocdrift            ( , username1, ) ( , username2, ) ( , username3, ) ( , username4, )
>
>
>   -jf
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list