[sudo-users] sudo and ldap
Michael Ströder
michael at stroeder.com
Tue Feb 23 10:51:24 MST 2016
Darran Carey wrote:
> We currently have sudo integration with our test LDAP server (389 directory
> server) working very nicely for both SLES and CentOS clients. There is one issue
> to resolve before considering moving this into production. We allow anonymous
> binds to our LDAP servers which means any user can search the SUDOERS ou. I
> would equate this with running with world-readable /etc/sudoers.
>
> Is it possible to tighten the security of the SUDOERS ou and still allow users
> to bind anonymously for general LDAP searches, or is the only way to implement
> this to have a separate bind DN? Does anyone have any experience with sudo/LDAP
> integration that they would be willing to share?
What you can do regarding server-side access control is rather a question about
the directory server's capabilities, in your case 389-DS.
In general there's no authorization without authentication. So you have to add
some kind of authentication. The possibilities range from IP-based over
passwords or Kerberos to TLS clients certs. You should also consider whether
direct LDAP access is the best approach or whether you want to get sudoers
entries via e.g. sssd.
Are you willing to do this effort?
If yes, then you should also take care of groups and users... ;-)
Ciao, Michael.
P.S.: Read about a paranoid approach here:
http://ldapcon.org/2015/?page_id=172
More information about the sudo-users
mailing list