[sudo-users] sudo and ldap
darran.carey at pawsey.org.au
Wed Feb 24 07:33:03 MST 2016
Thanks very much for your response. I'll take a look at your slides and
follow up if I have any questions.
On 2016-02-24 01:51, Michael Ströder wrote:
> Darran Carey wrote:
>> We currently have sudo integration with our test LDAP server (389
>> server) working very nicely for both SLES and CentOS clients. There is
>> one issue
>> to resolve before considering moving this into production. We allow
>> binds to our LDAP servers which means any user can search the SUDOERS
>> ou. I
>> would equate this with running with world-readable /etc/sudoers.
>> Is it possible to tighten the security of the SUDOERS ou and still
>> allow users
>> to bind anonymously for general LDAP searches, or is the only way to
>> this to have a separate bind DN? Does anyone have any experience with
>> integration that they would be willing to share?
> What you can do regarding server-side access control is rather a
> question about
> the directory server's capabilities, in your case 389-DS.
> In general there's no authorization without authentication. So you have
> to add
> some kind of authentication. The possibilities range from IP-based over
> passwords or Kerberos to TLS clients certs. You should also consider
> direct LDAP access is the best approach or whether you want to get
> entries via e.g. sssd.
> Are you willing to do this effort?
> If yes, then you should also take care of groups and users... ;-)
> Ciao, Michael.
> P.S.: Read about a paranoid approach here:
More information about the sudo-users