[sudo-users] sudo and ldap
Darran Carey
darran.carey at pawsey.org.au
Wed Feb 24 07:33:03 MST 2016
Hi Michael,
Thanks very much for your response. I'll take a look at your slides and
follow up if I have any questions.
Cheers,
Darran.
On 2016-02-24 01:51, Michael Ströder wrote:
> Darran Carey wrote:
>> We currently have sudo integration with our test LDAP server (389
>> directory
>> server) working very nicely for both SLES and CentOS clients. There is
>> one issue
>> to resolve before considering moving this into production. We allow
>> anonymous
>> binds to our LDAP servers which means any user can search the SUDOERS
>> ou. I
>> would equate this with running with world-readable /etc/sudoers.
>>
>> Is it possible to tighten the security of the SUDOERS ou and still
>> allow users
>> to bind anonymously for general LDAP searches, or is the only way to
>> implement
>> this to have a separate bind DN? Does anyone have any experience with
>> sudo/LDAP
>> integration that they would be willing to share?
>
> What you can do regarding server-side access control is rather a
> question about
> the directory server's capabilities, in your case 389-DS.
>
> In general there's no authorization without authentication. So you have
> to add
> some kind of authentication. The possibilities range from IP-based over
> passwords or Kerberos to TLS clients certs. You should also consider
> whether
> direct LDAP access is the best approach or whether you want to get
> sudoers
> entries via e.g. sssd.
>
> Are you willing to do this effort?
>
> If yes, then you should also take care of groups and users... ;-)
>
> Ciao, Michael.
>
> P.S.: Read about a paranoid approach here:
> http://ldapcon.org/2015/?page_id=172
More information about the sudo-users
mailing list