OpenLDAP/sudo

From Secure Computing Wiki

Jump to: navigation, search

This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.

[edit] OpenLDAP Schema

You should have already followed the instructions at OpenLDAP, installed the sudo schema as mentioned there. If you have not done this, do so now.

[edit] Sample SUDO LDAP Entry

The following sample entry will setup a defaults section and create an entry for all members of the admins group to have sudo access.

# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
description: SUDO Configuration Subtree
ou: SUDOers

# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
cn: defaults
sudoOption: ignore_dot
sudoOption: !mail_no_user
sudoOption: !root_sudo
sudoOption: log_host
sudoOption: logfile=/var/log/sudolog
sudoOption: !syslog
sudoOption: timestamp_timeout=10
sudoOption: ignore_local_sudoers
objectClass: top
objectClass: sudoRole
description: Default sudoOptions

# admins, SUDOers, example.com
dn: cn=admins,ou=SUDOers,dc=example,dc=com
cn: admins
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ecrist
sudoUser: testuser
description: Allowed access to all sudo commands for admins.

[edit] SUDO

For this setup, I've got 1.6.9.17 with LDAP and INSULTS enabled. You can get this installed with the following:

# cd /usr/ports/security/sudo && make clean deinstall && make -DWITH_INSULTS -DWITH_LDAP reinstall

[edit] PAM Config

Edit the /etc/pam.d/system file to read as follows:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

[edit] ldap.conf

Add the following lines to your /usr/local/etc/ldap.conf file:

# SUDO Configuration
sudoers_base ou=SUDOers,dc=example,dc=com

OpenLDAP/sudo

Contents

[edit] OpenLDAP Schema

[edit] Sample SUDO LDAP Entry

[edit] SUDO

[edit] PAM Config

[edit] ldap.conf

Personal tools

Namespaces

Variants

Views

Actions

Search

secure computing links

Miscellaneous

Operating Systems

Wiki Links

Toolbox