[sudo-users] sudo and ldap

Darran Carey darran.carey at pawsey.org.au
Wed Feb 24 07:33:03 MST 2016

Hi Michael,

Thanks very much for your response. I'll take a look at your slides and 
follow up if I have any questions.


On 2016-02-24 01:51, Michael Ströder wrote:
> Darran Carey wrote:
>> We currently have sudo integration with our test LDAP server (389 
>> directory
>> server) working very nicely for both SLES and CentOS clients. There is 
>> one issue
>> to resolve before considering moving this into production. We allow 
>> anonymous
>> binds to our LDAP servers which means any user can search the SUDOERS 
>> ou. I
>> would equate this with running with world-readable /etc/sudoers.
>> Is it possible to tighten the security of the SUDOERS ou and still 
>> allow users
>> to bind anonymously for general LDAP searches, or is the only way to 
>> implement
>> this to have a separate bind DN? Does anyone have any experience with 
>> sudo/LDAP
>> integration that they would be willing to share?
> What you can do regarding server-side access control is rather a 
> question about
> the directory server's capabilities, in your case 389-DS.
> In general there's no authorization without authentication. So you have 
> to add
> some kind of authentication. The possibilities range from IP-based over
> passwords or Kerberos to TLS clients certs. You should also consider 
> whether
> direct LDAP access is the best approach or whether you want to get 
> sudoers
> entries via e.g. sssd.
> Are you willing to do this effort?
> If yes, then you should also take care of groups and users... ;-)
> Ciao, Michael.
> P.S.: Read about a paranoid approach here:
>       http://ldapcon.org/2015/?page_id=172

More information about the sudo-users mailing list