The second part of this article is here, so if you missed the first one, you might take a look Part One
LDAP setup
Let’s guess your root suffix is dc=company,dc=com, you need to append the next entry to your directory :
dn: ou=sudoers,dc=company,dc=com
objectClass: top
objectClass: organizationalunit
description: Sudo Configuration
ou: sudoers
Besides we will need a default profile:
dn: cn=defaults,ou=sudoers,dc=company,dc=com
sudoOption: ignore_local_sudoers
objectClass: top
objectClass: sudoRole
cn: defaults
description: Our default options
sudooption: log_host
sudooption: logfile=/var/log/sudolog
sudooption: !syslog
Perhaps you would like to get the most of sudo’s powder, take a look in its website. You can add as much profiles as you like, suppose you want to add one for system administration:
dn: cn=sysadmin,ou=sudoers,dc=company,dc=com
objectClass: top
objectClass: sudoRole
cn: unix_admins
sudoUser: tuxman
sudoUser: darkman
sudoUser: bill
sudoHost: ALL
sudoCommand: /usr/bin/ls
As far as I concern, how to configure sudo is out of this post, however together the source of sudo there is an utility, sudoers2ldif_, a perl script that helps you to translate your sudo’s configuration file. Next step requires to modify our profile. Probably you will have a similar profile to this one:
dn: cn=default,ou=profile,dc=company,dc=com
objectClass: DUAConfigProfile
defaultSearchBase: dc=company,dc=com
cn: default
credentialLevel: proxy
defaultServerList: 192.168.76.66
profileTTL: 300
searchTimeLimit: 60
authenticationMethod: simple
serviceSearchDescriptor: passwd:cn=sudoers,dc=company,dc=com
After these modifications you must initialize your client.
Setting up /etc/ldap.conf and nsswitch.conf
It’s time to tell our client where to find sudoers file, by means of /etc/ldap.conf, that looks something like this.
uri ldap://192.168.76.66
sudoers_base ou=sudoers,dc=company,dc=com
bindpw cn=proxyagent,ou=profile,dc=company,dc=com
binddn password
sudoers_debug 0
You might use anonymous access, that’s your choice, just remember to check your ACI’s. Pretty interesting the option sudoers_debug which helps you to debug, at level 3 will show you as much information as possible. The last step, how to find our sudoers’ profile, nsswitch.conf sudoers: ldap
Let’s check if is working:
tuxman@host:$> sudo ls
[sudo] password for client:
sudo ls
LDAP Config Summary
===================
uri ldap://192.168.76.66
ldap_version 3
sudoers_base ou=sudoers,dc=company,dc=com
binddn (anonymous)
bindpw (anonymous)
ssl (no)
===================
sudo: ldap_initialize(ld, ldap://192.168.76.66)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=sudoers,dc=company,dc=com
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: ldap sudoOption: 'log_host'
sudo: ldap sudoOption: 'logfile=/var/log/sudolog'
sudo: ldap sudoOption: '!syslog'
sudo: ldap search '(|(sudoUser=tuxman)(sudoUser=%other)(sudoUser=ALL))'
sudo: found:cn=sysadmin,ou=sudoers,dc=company,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand '/usr/bin/ls' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
tuxman@host:$> files/ sudoers2ldif.pl
At this point everything should be working. Last step, to translate our sudoers file.