[sudo-users] sudoers in ldap
Woodward, Andrew
andreww at telenav.com
Tue Nov 2 15:30:49 EDT 2010
I think a little more explaining is necessary.
LDAP:
dc=org,dc=com
ou=People
<users>
ou=Groups
<posix groups>
ou=Access
cn=L2
cn=L3
cn=L4
cn=L5
ou=Sysadmin
ou=sudoers
cn=defaults
cn=L2_Rights
sudoHost=ALL
sudoUser=%L2
sudoUser=%L3
sudoUser=%L4
sudoUser=%L5
cn=L3_Rights
sudoHost=ALL
sudoUser=%L3
sudoUser=%L4
sudoUser=%L5
cn=L4_Rights
sudoHost=ALL
sudoUser=%L4
sudoUser=%L5
cn=L5_Rights
sudoHost=ALL
sudoUser=%L5
Design:
According to the following table user groups should have access into the
following server silos at the following access levels.
Dev Test Stage Load eng
Engineering L3 L2 L2 L3 L4
QA L2 L3 L3 L2
DBA L4 L4 L4 L4 L4
EngSupport L5 L5 L5 L5 L5
NetSupport L1 L1 L1 L1 L1
NOC L4 L4 L4 L2 L2
Problem:
I don’t see a method to be able to implement the varying access levels
between the silos without creating a copy of each set of sudoers objects and
groups for people to be members of. Having to create these copies is less
than ideal as it creates too many places to manage and will inevitably be
error prone due to the number of combinations. I'd be happier if I only had
to create copies of one set of objects over both but I don’t see a method to
implement one without the other.
> -----Original Message-----
> Sent: Monday, November 01, 2010 3:49 PM
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] sudoers in ldap
>
> You can use netgroups but you can also specify muliple. Sudohost or even *
> in sudo ldap. In fact each of the fields sudouser sudogroup sudo host and
> sudocommand can be specified multiple times.
>
> Sudouser: ed
> Sudocmd:all
> Sudohost: web*
>
> Or
>
> Sudouser:ed
> Sudouser:%admin
> Sudohost:web1
> Sudohost:web2
> Sudocommand:all
>
> As the previous poster pointed out netgroups are flexible because you can
> have groups of groups. However if you flatten you recursive groups into
lists
> you have the same affect.
>
> On Friday, October 29, 2010, Jan-Frode Myklebust <mykleb at no.ibm.com>
> wrote:
> > On 2010-10-28, Woodward, Andrew <andreww at telenav.com> wrote:
> >>
> >> I'm wondering if there is some shortcut method to performing this now
> >> that the sudoers is centralized in LDAP without having to create
> >> separate sets of sudoers records and groups for each silo (there are
> >> currently 6 defined, with 5 levels of access == mess of ~144 points
> >> of management)
> >>
> >
> > Not quite sure I understand what a "silo" is, but it sounds like a
> > group of servers. So have you considered using netgroups (also in
> > LDAP) and grant access per netgroup ?
> >
> > We use netgroups both for users and hosts. Example sudo-entry:
> >
> > $ ldapsearch -h sim2.example.net -b dc=example,dc=net -x "(cn=nocdrift-
> at-dnsservere)"
> > dn: cn=nocdrift-at-dnsservere,ou=SUDOers,dc=example,dc=net
> > sudoHost: +dnsservers
> > sudoUser: +u_nocdrift
> > sudoRunAs: root
> > sudoCommand: /sbin/service
> > sudoCommand: /bin/kill
> > objectClass: top
> > objectClass: sudoRole
> > sudoOption: !authenticate
> > cn: nocdrift-at-dnsservere
> >
> > $ getent netgroup dnsservers
> > dnsservers (m1ns1.example.net, , ) (m1ns2.example.net, , )
> > (ns1m.example.net, , ) (ns2m.example.net, , )
> > (ns2mgmt.mro.example.net, , ) (ns1ext.example.net, , )
> > (ns2ext.example.net, , ) (bpf, , ) (ns1mgmt.ulh.example.net, , )
> > (ns1tv.mro.example.net, , ) (ns2tv.ulh.example.net, , )
> > (ns2voip.ulh.example.net, , ) (ns1voip.mro.example.net, , )
> > (ns1ispdk.example.net, , ) (ns2ispdk.example.net, , ) (ns1isp.mro, , )
> > (ns2isp.ulh, , )
> >
> > $ getent netgroup u_nocdrift
> > u_nocdrift ( , username1, ) ( , username2, ) ( , username3,
> > ) ( , username4, )
> >
> >
> > -jf
> >
> >
> __________________________________________________________
> __
> > sudo-users mailing list <sudo-users at sudo.ws> For list information,
> > options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> __________________________________________________________
> __
> sudo-users mailing list <sudo-users at sudo.ws> For list information,
options,
> or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list