RCS/CVS/RSYNC/RDIST/RCP/SCP and even NFS. Many have asked for a Hesiod, NIS,
or LDAP patch for sudo, so here is my attempt at LDAP'izing sudo.
+For information on OpenLDAP, please see http://www.openldap.org/.
+
Definitions
===========
Many times the word 'Directory' is used in the document to refer to the LDAP
Build instructions
==================
The most simplest way to build sudo with LDAP support is to include the
-'--with-ldap' option. I recommend including the '--with-pam' option on those
-system with PAM so that if you decide to use LDAP for authentication, you won't
-need to recompile sudo.
+'--with-ldap' option.
- $ ./configure --with-ldap --with-pam
+ $ ./configure --with-ldap
-If your ldap libraries and headers are in a non standard place, you will need
-to specify them at configure time.
+If your ldap libraries and headers are in a non-standard place, you will need
+to specify them at configure time. E.g.
- $ ./configure --with-ldap=/usr/local/ldapsdk --with-pam
+ $ ./configure --with-ldap=/usr/local/ldapsdk
-Sudo is tested against OpenLDAP's implementation. Other LDAP implementations
-may require adding '-lldif' to SUDO_LIBS in the Makefile.
+Sudo is developed using OpenLDAP. Other LDAP implementations may
+require adding '-lldif' to SUDO_LIBS in the Makefile.
-Your Mileage may vary. Please let Aaron Spangler <aaron@spangler.ods.org>
-know what combinations worked best for your OS & LDAP Combinations so we can
-improve sudo.
+Your Mileage may vary. Please let the sudo workers mailing list
+<sudo-workers@sudo.ws> know what combinations worked best for your
+OS and LDAP Combinations so we can improve sudo.
More Build Notes:
HP-UX 11.23 (gcc3) Galen Johnson <Galen.Johnson@sas.com>
Schema Changes
==============
-Add the following schema to your LDAP server so that it may contain sudoer
-content. In OpenLDAP, simply place this into a new file and 'include' it
-in your slapd.conf and restart slapd. For other LDAP servers, provide this
-to your LDAP Administrator. Make sure to index the attribute 'sudoUser'.
-
-
- #
- # schema file for sudo
- #
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
- description )
- )
-
- #
- # Same thing as above, but imports better into SunONE or iPlanet
- # (remove any leading spaces and save to a seperate file)
- #
-
- dn: cn=schema
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
- objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )
+Add the appropriate schema to your LDAP server so that it may contain
+sudoers content.
+For OpenLDAP, simply copy schema.OpenLDAP to the schema directory
+(e.g. /etc/openldap/schema) and 'include' it in your slapd.conf and
+restart slapd. For other LDAP servers, provide this to your LDAP
+Administrator. Make sure to index the attribute 'sudoUser'.
+For netscape-derived LDAP servers such as SunONE, iPlanet or Fedora
+Directory, use the schema.iPlanet file.
Importing /etc/sudoers to LDAP
==============================
Step 1:
Ask your LDAP Administrator where to create the ou=SUDOers container.
+
+For instance, if using OpenLDAP:
+
+ dn: ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: organizationalUnit
+ ou: SUDOers
+
(An example location is shown below). Then use the provided script to convert
your sudoers file into LDIF format. The script will also convert any default
options.
===============================
The equivalent of a sudoer in LDAP is a 'sudoRole'. It contains sudoUser(s),
sudoHost, sudoCommand and optional sudoOption(s) and sudoRunAs(s).
-<put an example here>
+
+The following example allows users in group wheel to run any
+command on any host through sudo:
+
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL
Managing LDAP entries
=====================
http://www.mcs.anl.gov/~gawor/ldap
http://ldapmanager.com
- There are dozens of others, some open source, some free, some not.
+ * Apache Directory Studio - Open Source - an Eclipse-based LDAP
+ development platform. Includes an LDAP browser, and LDIF editor,
+ a schema editor and more.
+ http://directory.apache.org/studio
+
+ There are dozens of others, some Open Source, some free, some not.
Configure your /etc/ldap.conf
The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
and other ldap applications and modules. IBM Secureway unfortunately uses
the same filename but has a different syntax. If you need to rename where
-this file is stored, recompile SUDO with the -DLDAP_CONFIG compile option.
+this file is stored, re-run configure with the --with-ldap-conf-file=filename
+option.
Make sure you sudoers_base matches exactly with the location you specified
when you imported the sudoers. Below is an example /etc/ldap.conf
- # Either specify a uri or host & port
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
#host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
#port 389
#
- # URI will override host & port settings
- # but only works with LDAP SDK's that support
- # ldap_initialize() such as OpenLDAP
+ # URI will override the host and port settings.
uri ldap://ldapserver
#uri ldaps://secureldapserver
+ #uri ldaps://secureldapserver ldap://ldapserver
+ #
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
#
# must be set or sudo will ignore LDAP
sudoers_base ou=SUDOers,dc=example,dc=com
# optional proxy credentials
#binddn <who to search as>
#bindpw <password>
+ #rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
#
- # LDAP Protocol Version defaults to 3
+ # LDAP protocol version, defaults to 3
#ldap_version 3
#
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
# Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
#ssl start_tls
#
- # Additional TLS options follow that allow tweaking
- # of the SSL/TLS connection
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
#
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
#
# If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir.
+ # or tls_cacertdir. Only supported when using OpenLDAP.
#
#tls_cacertfile /etc/certs/trusted_signers.pem
#tls_cacertdir /etc/certs
# For systems that don't have /dev/random
# use this along with PRNGD or EGD.pl to seed the
# random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
#
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
+ # Only supported when using OpenLDAP.
#
#tls_ciphers <cipher-list>
#
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
+ # For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
#
+ # For SunONE or iPlanet LDAP, the file specified by tls_cert may
+ # contain CA certs and/or the client's cert. If the client's
+ # cert is included, tls_key should be specified as well.
+ # For backward compatibility, sslpath may be used in place of tls_cert.
+ #tls_cert /var/ldap/cert7.db
+ #tls_key /var/ldap/key3.db
Debugging your LDAP configuration
=================================
sudoCommand: !/bin/sh
sudoCommand: ALL
-Another difference is that negations on the Host are User (or Runas) are
-currently ignorred. For example, these attributes do not work how they first
-seem. If you desperately want this to be changed, contact Aaron Spangler
-(aaron@spangler.ods.org).
+Another difference is that negations on the Host, User or Runas are
+currently ignorred. For example, these attributes do not work how
+they first seem.
# does not match all but joe
# rather, does not match anyone
# rather, matches all hosts including web01
sudoHost: ALL
sudoHost: !web01
-
-
-Configure your /etc/nsswitch.conf
-=================================
-At the time of this writing, sudo does not consult nsswitch.conf for the
-search order. But if it did, it would look like this:
-This might be implemented in the future. For now just skip this step.
-
- sudoers: files ldap