[sudo-users] Managing LDAP entries for sudo
Patrick Spinler
spinler.patrick at mayo.edu
Fri Apr 8 22:08:13 EDT 2011
On 4/8/11 7:19 PM, Arnold Wang wrote:
> I'm working on a project to use LDAP server, Microsoft AD
> particularly, as the back end for sudo. It's pretty straight forward
> to get it up and running. However, I need a tool that can be used to
> manage the LDAP entries without requiring deep knowledge in LDAP or
> sudo so the operators can handle the access request easily.
> Thanks in advance for your suggestion.
I'd suggest you write a set of scripts. The ones I wrote look like this:
Disclaimer, since these scripts are only a small part (260 of 6800
lines) of a large body of integrated ldap provisioning code written
perl, they're not easy to digest.
$ ./list_sudo_priv.pl -?
usage:
./list_sudo_priv.pl [<sudogroup>]
If sudogroup is a netgroup, do not prefix with '+'
options are:
--runasgroup search for privs which are run as this netgroup of users
exclusive with --runasuser
--runasuser search for privs which are run as this specific user
exclusive with --runasgroup
--hostgroup search for privs which can be run on this netgroup of hosts
--env (prod|test|dev)
--debug debug level, 0 = none (default) through 5 = all
$ ./list_sudo_priv.pl --runasuser=oracle
Invoking Users On Hosts Runs As Command
--------------------- -------------------------- ------- -------------
+sudo_oracledba_admin +hgrp_oracle_admin_sudoers oracle NOPASSWD: ALL
$ ./list_sudo_priv.pl --hostgroup=ALL
Invoking Users On Hosts Runs As
Command
------------------ -------- -------
------------------------------------------------------------
+sudo_tivoli_admin ALL ibmtm NOPASSWD:
ALL
+sudo_tivoli_admin ALL root NOPASSWD: /bin/su -
ibmtm
+sudo_tivoli_admin ALL root NOPASSWD: /sbin/service
ITMAgent
+sudo_tivoli_admin ALL root NOPASSWD: /sbin/service ITMAgent
*
+sudo_tivoli_admin ALL root NOPASSWD:
/shares/nfs/unixnoarch/scripts/tivoli_install.pl *
+sudo_tivoli_admin ALL root NOPASSWD:
/shares/nfs/unixnoarch/scripts/tivoli_install.pl
+sudo_unix_admin ALL ALL NOPASSWD:
ALL
And to show adding and removing privs:
$ ./modify_sudo_priv.pl --help
usage:
./modify_sudo_priv.pl (grant|revoke|remove|add) <sudogroup> "command"
["command" ...]
Commands should be fully quoted to avoid errors
options are:
--nopasswd put or remove the NOPASSWD: option on the privilege set
--runasgroup netgroup of users to grant priv to run as.
exclusive with --runasuser
--runasuser username to grant priv to run as. Defaults to ALL
exclusive with --runasgroup
--hostgroup netgroup of hosts (hgrp) to grant privs to run command on
defaults to ALL
--env (prod|test|dev)
--debug debug level, 0 = none (default) through 5 = all
--dryrun flag -- disable most changes to ldap
$ ./modify_sudo_priv.pl --hostgroup hgrp_ddqb_prog_sudoers
--runasuser=root --nopasswd add sudo_ddqb_prog "/bin/su - fooaccount"
$ ./list_sudo_priv.pl 'sudo_ddqb_prog'
Invoking Users On Hosts Runs As
Command
--------------- ----------------------- -------
------------------------------
+sudo_ddqb_prog +hgrp_ddqb_prog_sudoers root NOPASSWD: /bin/su -
fooaccount
$ ./modify_sudo_priv.pl --hostgroup hgrp_ddqb_prog_sudoers
--runasuser=root --nopasswd remove sudo_ddqb_prog "/bin/su - fooaccount"
-- Pat
More information about the sudo-users
mailing list