From Secure Computing Wiki
Jump to: navigation, search

This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.

OpenLDAP Schema

You should have already followed the instructions at OpenLDAP, installed the sudo schema as mentioned there. If you have not done this, do so now.

Sample SUDO LDAP Entry

The following sample entry will setup a defaults section and create an entry for all members of the admins group to have sudo access.

# SUDOers,
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
description: SUDO Configuration Subtree
ou: SUDOers

# defaults, SUDOers,
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
cn: defaults
sudoOption: ignore_dot
sudoOption: !mail_no_user
sudoOption: !root_sudo
sudoOption: log_host
sudoOption: logfile=/var/log/sudolog
sudoOption: !syslog
sudoOption: timestamp_timeout=10
sudoOption: ignore_local_sudoers
objectClass: top
objectClass: sudoRole
description: Default sudoOptions

# admins, SUDOers,
dn: cn=admins,ou=SUDOers,dc=example,dc=com
cn: admins
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ecrist
sudoUser: testuser
description: Allowed access to all sudo commands for admins.


For this setup, I've got with LDAP and INSULTS enabled. You can get this installed with the following:

# cd /usr/ports/security/sudo && make clean deinstall && make -DWITH_INSULTS -DWITH_LDAP reinstall

PAM Config

Edit the /etc/pam.d/system file to read as follows:

# auth
auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
#auth           sufficient             no_warn try_first_pass
#auth           sufficient              no_warn try_first_pass
auth            sufficient      /usr/local/lib/      no_warn try_first_pass
auth            required             no_warn try_first_pass nullok

# account
#account        required
account         required        /usr/local/lib/      ignore_unknown_user ignore_authinfo_unavail
account         required
account         required

# session
#session        optional
session         required        /usr/local/lib/
session         required          no_fail

# password
#password       sufficient             no_warn try_first_pass
password        required             no_warn try_first_pass


Add the following lines to your /usr/local/etc/ldap.conf file:

# SUDO Configuration
sudoers_base ou=SUDOers,dc=example,dc=com