[root@389-ds /tmp]# file /etc/dirsrv/slapd-eval-389-1/schema/60sudo.ldif /etc/dirsrv/slapd-eval-389-1/schema/60sudo.ldif: ASCII text |
[root@389-ds tmp]# export SUDOERS_BASE=ou=SUDOers,dc=comp,dc=com [root@389-ds tmp]# echo $SUDOERS_BASE ou=SUDOers,dc=oracle,dc=com [root@389-ds tmp]# env | grep SUDO SUDOERS_BASE=ou=SUDOers,dc=comp,dc=com |
# rpm -ql sudo | grep ldif /usr/share/doc/sudo-1.8.6p3/sudoers2ldif |
[root@389-ds tmp]# perl /usr/share/doc/sudo-1.8.6p7/sudoers2ldif /tmp/sudoers.template | tee sudoers-389.ldif dn: cn=defaults,ou=SUDOers,dc=comp,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOrder: 1 dn: cn=root,ou=SUDOers,dc=comp,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOrder: 2 dn: cn=SYSADMINS,ou=SUDOers,dc=comp,dc=com objectClass: top objectClass: sudoRole cn: SYSADMINS sudoUser: zare sudoUser: milan sudoUser: alisa sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate sudoOrder: 3 ---- shortened ---- dn: cn=SOME_RESTRICTED_HOSTS,ou=SUDOers,dc=comp,dc=com objectClass: top objectClass: sudoRole cn: SOME_RESTRICTED_HOSTS sudoUser: todorka sudoUser: ugljesa sudoHost: kaca-host sudoHost: kruna-host sudoRunAsUser: ALL sudoCommand: ALL sudoOrder: 12 |
[root@389-ds tmp]# ldapadd -x -W -D "cn=Directory Manager" -f sudoers-389.ldif Enter LDAP Password: adding new entry "cn=defaults,ou=SUDOers,dc=comp,dc=com" adding new entry "cn=root,ou=SUDOers,dc=comp,dc=com" adding new entry "cn=SYSADMINS,ou=SUDOers,dc=comp,dc=com" adding new entry "cn=SOME_RESTRICTED_HOSTS,ou=SUDOers,dc=comp,dc=com" --shortened-- adding new entry "cn=OTHER_ADMINS,ou=SUDOers,dc=comp,dc=com" |
dn: cn=SOME_RESTRICTED_HOSTS,ou=SUDOers,dc=comp,dc=com changetype: modify delete: sudoUser sudoUser: milan sudoUser: alisa |
# ldapmodify -x -W -D "cn=Directory Manager" -v -f /tmp/someedit.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: delete sudoUser: todorka ugljesa modifying entry "cn=BUILD_ADMINS_RESTRICTED_HOSTS,ou=SUDOers,dc=oracle,dc=com" modify complete |
sudoers: ldap |
uri ldap://389-ds.comp.com sudoers_base ou=SUDOers,dc=comp,dc=com bind_timelimit 30 timelimit 60 sudoers_debug 1 |
[root@ldapclient etc]# grep zare /etc/passwd [root@ldapclient etc]# getent passwd | grep zare zare:*:2222:2222:Zare.D:/home/zare:/bin/bash |
# grep zare /etc/sudoers |
May 27 18:55:23 ldapclient sshd[2443]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.x.x.x user=zare May 27 18:55:25 ldapclient sshd[2443]: Accepted password for zare from 10.x.x.x port 64316 ssh2 May 27 18:55:25 ldapclient sshd[2443]: pam_unix(sshd:session): session opened for user zare by (uid=0) May 27 18:55:31 ldapclient sudo: zare : TTY=pts/1 ; PWD=/home/zare ; USER=root ; COMMAND=/bin/su - May 27 18:55:31 ldapclient su: pam_unix(su-l:session): session opened for user root by zare(uid=0) |