[sudo-users] Fwd: SUDO centralization based on Server!
JR Aquino
JR.Aquino at citrix.com
Fri Jul 22 17:25:04 EDT 2011
For greater abstraction, you can also utilize ldap (nisNetgroups) to store groups of hosts for processing... that way you don't have to have lots of hosts listed in a sudo rule / sudorule ldap object.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T: +1 805.690.3478
jr.aquino at citrixonline.com
http://www.citrixonline.com
On Jul 22, 2011, at 2:22 PM, Woodward, Andrew wrote:
> In absence of knowing the name of server1 or server2, We gone down two
> paths, all server 2 types see one sudoers base all server 1 types see a
> different sudoers base DN. This allows us to split up the environment
> without having to list each host. Additionally we allow the user to be added
> to groups that exist in /etc/group instead of LDAP if they need power user
> access on just that server.
>
> -
>
> Andrew Woodward
>
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of JR Aquino
> Sent: Monday, July 04, 2011 7:31 AM
> To: pradyumna dash
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] Fwd: SUDO centralization based on Server!
>
> You can centralize this with two separate ldap sudo objects.
>
> Rule1 will have server1, your user/group, and your 1st set of cmds
>
> Rule2 will have server2, your user/group, and your 2d set of cmds
>
>
> The rules should look like the examples in here:
> http://www.gratisoft.us/sudo/man/1.8.1/sudoers.ldap.man.html
>
>
> ~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino
> Info. Security Specialist
> Citrix Online
> Jr.Aquino at citrixonline.com
> 805.690.3478
> GCIH, CCNA
>
> On Jul 4, 2011, at 2:40 AM, "pradyumna dash" <neomatrixgem at gmail.com> wrote:
>
>> Hi,
>>
>> I need a solution for the below SUDO configuration.
>>
>> I have centralized SUDO with OpenLDAP, but i have a query like i have
>> say 2 servers server1 and server2 and a used called bob which is a
> OpenLDAP user.
>> What i want is like when bob loggin in to server1 it has a different
>> SUDO command list and when he logs in to server2, he will get a
>> different list of commands which is allowed to use.
>>
>> Can this issue resolved?Now am having 2 individual SUDO files in each
>> server, can i centralize this ?
>>
>> Regards,
>> Neo
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws> For list information,
>> options, or to unsubscribe, visit:
>> http://www.sudo.ws/mailman/listinfo/sudo-users
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, options,
> or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list