[sudo-users] Managing LDAP entries for sudo

Patrick Spinler spinler.patrick at mayo.edu
Fri Apr 8 22:08:13 EDT 2011


On 4/8/11 7:19 PM, Arnold Wang wrote:
> I'm working on a project to use LDAP server, Microsoft AD
> particularly,  as the back end for sudo. It's pretty straight forward
> to get it up and running. However, I need a tool that can be used to
> manage the LDAP entries without requiring deep knowledge in LDAP or
> sudo so the operators can handle the access request easily.
> Thanks in advance for your suggestion.
I'd suggest you write a set of scripts.  The ones I wrote look like this:

Disclaimer, since these scripts are only a small part (260 of 6800
lines) of a large body of integrated ldap provisioning code written
perl, they're not easy to digest.

$ ./list_sudo_priv.pl -?
usage:
./list_sudo_priv.pl [<sudogroup>]
If sudogroup is a netgroup, do not prefix with '+'
options are:
    --runasgroup search for privs which are run as this netgroup of users
                 exclusive with --runasuser
    --runasuser  search for privs which are run as this specific user
                 exclusive with --runasgroup
    --hostgroup  search for privs which can be run on this netgroup of hosts
    --env        (prod|test|dev)
    --debug      debug level, 0 = none (default) through 5 = all

$ ./list_sudo_priv.pl --runasuser=oracle
Invoking Users        On Hosts                   Runs As Command     
--------------------- -------------------------- ------- -------------
+sudo_oracledba_admin +hgrp_oracle_admin_sudoers oracle  NOPASSWD: ALL


$ ./list_sudo_priv.pl --hostgroup=ALL
Invoking Users     On Hosts Runs As
Command                                                    
------------------ -------- -------
------------------------------------------------------------
+sudo_tivoli_admin ALL      ibmtm   NOPASSWD:
ALL                                              
+sudo_tivoli_admin ALL      root    NOPASSWD: /bin/su -
ibmtm                                  
+sudo_tivoli_admin ALL      root    NOPASSWD: /sbin/service
ITMAgent                           
+sudo_tivoli_admin ALL      root    NOPASSWD: /sbin/service ITMAgent
*                         
+sudo_tivoli_admin ALL      root    NOPASSWD:
/shares/nfs/unixnoarch/scripts/tivoli_install.pl *
+sudo_tivoli_admin ALL      root    NOPASSWD:
/shares/nfs/unixnoarch/scripts/tivoli_install.pl 
+sudo_unix_admin   ALL      ALL     NOPASSWD:
ALL                                              


And to show adding and removing privs:


$ ./modify_sudo_priv.pl --help
usage:
./modify_sudo_priv.pl (grant|revoke|remove|add) <sudogroup> "command"
["command" ...]
Commands should be fully quoted to avoid errors
options are:
    --nopasswd   put or remove the NOPASSWD: option on the privilege set
    --runasgroup netgroup of users to grant priv to run as.
                 exclusive with --runasuser
    --runasuser  username to grant priv to run as. Defaults to ALL
                 exclusive with --runasgroup
    --hostgroup netgroup of hosts (hgrp) to grant privs to run command on
                 defaults to ALL
    --env (prod|test|dev)
    --debug      debug level, 0 = none (default) through 5 = all
    --dryrun     flag -- disable most changes to ldap

$ ./modify_sudo_priv.pl --hostgroup hgrp_ddqb_prog_sudoers
--runasuser=root --nopasswd add sudo_ddqb_prog "/bin/su - fooaccount"

$ ./list_sudo_priv.pl 'sudo_ddqb_prog'
Invoking Users  On Hosts                Runs As
Command                      
--------------- ----------------------- -------
------------------------------
+sudo_ddqb_prog +hgrp_ddqb_prog_sudoers root    NOPASSWD: /bin/su -
fooaccount

$ ./modify_sudo_priv.pl --hostgroup hgrp_ddqb_prog_sudoers
--runasuser=root --nopasswd remove sudo_ddqb_prog "/bin/su - fooaccount"


-- Pat





More information about the sudo-users mailing list