[sudo-users] sudoers in ldap
Jan-Frode Myklebust
mykleb at no.ibm.com
Fri Oct 29 19:24:43 EDT 2010
On 2010-10-28, Woodward, Andrew <andreww at telenav.com> wrote:
>
> I'm wondering if there is some shortcut method to performing this now that
> the sudoers is centralized in LDAP without having to create separate sets of
> sudoers records and groups for each silo (there are currently 6 defined,
> with 5 levels of access == mess of ~144 points of management)
>
Not quite sure I understand what a "silo" is, but it sounds like a
group of servers. So have you considered using netgroups (also in
LDAP) and grant access per netgroup ?
We use netgroups both for users and hosts. Example sudo-entry:
$ ldapsearch -h sim2.example.net -b dc=example,dc=net -x "(cn=nocdrift-at-dnsservere)"
dn: cn=nocdrift-at-dnsservere,ou=SUDOers,dc=example,dc=net
sudoHost: +dnsservers
sudoUser: +u_nocdrift
sudoRunAs: root
sudoCommand: /sbin/service
sudoCommand: /bin/kill
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
cn: nocdrift-at-dnsservere
$ getent netgroup dnsservers
dnsservers (m1ns1.example.net, , ) (m1ns2.example.net, , ) (ns1m.example.net, , ) (ns2m.example.net, , ) (ns2mgmt.mro.example.net, , ) (ns1ext.example.net, , ) (ns2ext.example.net, , ) (bpf, , ) (ns1mgmt.ulh.example.net, , ) (ns1tv.mro.example.net, , ) (ns2tv.ulh.example.net, , ) (ns2voip.ulh.example.net, , ) (ns1voip.mro.example.net, , ) (ns1ispdk.example.net, , ) (ns2ispdk.example.net, , ) (ns1isp.mro, , ) (ns2isp.ulh, , )
$ getent netgroup u_nocdrift
u_nocdrift ( , username1, ) ( , username2, ) ( , username3, ) ( , username4, )
-jf
More information about the sudo-users
mailing list