1 This file explains how to build the optional LDAP functionality of SUDO to
2 store /etc/sudoers information. This feature is distinct from LDAP passwords.
4 For general sudo LDAP configuration details, see the sudoers.ldap manual that
5 comes with the sudo distribution. A pre-formatted version of the manual may
6 be found in the sudoers.ldap.cat file.
8 The sudo binary compiled with LDAP support should be totally backward
9 compatible and be syntactically and source code equivalent to its
10 non LDAP-enabled build.
14 As times change and servers become cheap, an enterprise can easily have 500+
15 UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
16 others across an enterprise can greatly reduce the administrative overhead.
18 In the past, sudo has used a single local configuration file, /etc/sudoers.
19 While the same sudoers file can be shared among machines, no built-in
20 mechanism exists to distribute it. Some have attempted to workaround this
21 by synchronizing changes via CVS/RSYNC/RDIST/RCP/SCP and even NFS.
23 By using LDAP for sudoers we gain a centrally administered, globally
24 available configuration source for sudo.
26 For information on OpenLDAP, please see http://www.openldap.org/.
30 Many times the word 'Directory' is used in the document to refer to the LDAP
31 server, structure and contents.
33 Many times 'options' are used in this document to refer to sudoer 'defaults'.
34 They are one and the same.
38 The simplest way to build sudo with LDAP support is to include the
41 $ ./configure --with-ldap
43 If your ldap libraries and headers are in a non-standard place, you will need
44 to specify them at configure time. E.g.
46 $ ./configure --with-ldap=/usr/local/ldapsdk
48 Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
49 (such as those present in Solaris) are also known to work.
51 Your mileage may vary. Please let the sudo workers mailing list
52 <sudo-workers@sudo.ws> know if special configuration was required
53 to build an LDAP-enabled sudo so we can improve sudo.
57 You must add the appropriate schema to your LDAP server before it
58 can store sudoers content.
60 For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
61 (e.g. /etc/openldap/schema). You must then edit your slapd.conf and
62 add an include line the new schema, e.g.
65 include /etc/openldap/schema/sudo.schema
67 In order for sudoRole LDAP queries to be efficient, the server must index
68 the attribute 'sudoUser', e.g.
73 After making the changes to slapd.conf, restart slapd.
75 For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
76 copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
78 On Solaris, schemas are stored in /var/Sun/mps/slapd-`hostname`/config/schema/.
79 For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
81 After copying the schema file to the appropriate directory, restart
84 Finally, using an LDAP browser/editor, enable indexing by editing the
85 client profile to provide a Service Search Descriptor (SSD) for sudoers,
86 replacing example.com with your domain:
88 serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
90 If using an Active Directory server, copy schema.ActiveDirectory
91 to your Windows domain controller and run the following command:
93 ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com
95 Importing /etc/sudoers into LDAP
96 ================================
97 Importing sudoers is a two-step process.
100 Ask your LDAP Administrator where to create the ou=SUDOers container.
102 For instance, if using OpenLDAP:
104 dn: ou=SUDOers,dc=example,dc=com
106 objectClass: organizationalUnit
109 (An example location is shown below). Then use the provided script to convert
110 your sudoers file into LDIF format. The script will also convert any default
113 # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
114 # export SUDOERS_BASE
115 # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
118 Import into your directory server. The following example is for
119 OpenLDAP. If you are using another directory, provide the LDIF
120 file to your LDAP Administrator.
122 # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
123 -D cn=Manager,dc=example,dc=com -W -x
125 Managing LDAP entries
126 =====================
127 Doing a one-time bulk load of your ldap entries is fine. However what if you
128 need to make minor changes on a daily basis? It doesn't make sense to delete
129 and re-add objects. (You can, but this is tedious).
131 I recommend using any of the following LDAP browsers to administer your SUDOers.
132 * GQ - The gentleman's LDAP client - Open Source - I use this a lot on Linux
133 and since it is Schema aware, I don't need to create a sudoRole template.
136 * phpQLAdmin - Open Source - phpQLAdmin is an administration tool,
137 originally for QmailLDAP, that supports editing sudoRole objects
138 in version 2.3.2 and higher.
139 http://phpqladmin.com/
141 * LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
142 and Solaris. It runs anywhere in a Java Virtual Machine including
143 web pages. You have to make a template from an existing sudoRole entry.
144 http://www.iit.edu/~gawojar/ldap
145 http://www.mcs.anl.gov/~gawor/ldap
146 http://ldapmanager.com
148 * Apache Directory Studio - Open Source - an Eclipse-based LDAP
149 development platform. Includes an LDAP browser, and LDIF editor,
150 a schema editor and more.
151 http://directory.apache.org/studio
153 There are dozens of others, some Open Source, some free, some not.
155 Configure your /etc/ldap.conf and /etc/nsswitch.conf
156 ====================================================
157 The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
158 and other ldap applications and modules. IBM Secureway unfortunately uses
159 the same file name but has a different syntax. If you need to change where
160 this file is stored, re-run configure with the --with-ldap-conf-file=PATH
163 See the "Configuring ldap.conf" section in the sudoers.ldap manual
164 for a list of supported ldap.conf parameters and an example ldap.conf
166 Make sure you sudoers_base matches the location you specified when you
167 imported the sudoers ldif data.
169 After configuring /etc/ldap.conf, you must add a line in /etc/nsswitch.conf
170 to tell sudo to look in LDAP for sudoers. See the "Configuring nsswitch.conf"
171 section in the sudoers.ldap manual for details. Note that sudo will use
172 /etc/nsswitch.conf even if the underlying operating system does not support it.
173 To disable nsswitch support, run configure with the --with-nsswitch=no option.
174 This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
175 ignore_sudoers_file flag is set in the global LDAP options.
177 Debugging your LDAP configuration
178 =================================
179 Enable debugging if you believe sudo is not parsing LDAP the way you think it
180 should. Setting the 'sudoers_debug' parameter to a value of 1 shows moderate
181 debugging. A value of 2 shows the results of the matches themselves. Make
182 sure to set the value back to zero so that other users don't get confused by
183 the debugging messages.