Back to the main page

Sudo in 389 Directory Server

* About 389 Directory Server

The 389 Directory Server (or Red Hat Directory Server) is LDAP server for Linux, of course it supports LDAPv3. Some other features are that it uses the Berkeley Database for its data store and has multi-master replication (multi-master means the ability to write to two or more masters at the same time). It also comes with a standard schema that includes many object classes and attributes.

In 389-ds or any LDAP server, an object class defines the set of attributes that can be used to define an entry, like people, groups, locations, organizations, etc.
The identity is described in a directory entries with attributes and their values, Other 389-ds configuration, like matching rules and LDAP controls are also defined in the schema.

So 389-ds comes with Sudo schema and here is example how to configure it and use it.

* Schema

The sudo schema is already present in the 389-ds.

[root@389-ds /tmp]# file /etc/dirsrv/slapd-eval-389-1/schema/60sudo.ldif
/etc/dirsrv/slapd-eval-389-1/schema/60sudo.ldif: ASCII text

* OU

The Organizational Unit ou=SUDOers,dc=comp,dc=com has been created manually via the GUI console.

* Environment

For example, there is legacy /etc/sudoers file that needs to be import into LDAP. To do this, we'll need this environment addition.

[root@389-ds tmp]# export SUDOERS_BASE=ou=SUDOers,dc=comp,dc=com

[root@389-ds tmp]# echo $SUDOERS_BASE

[root@389-ds tmp]# env | grep SUDO

* Conversion

The sudo RPM comes with the Perl script that converts sudoers file into ldif format.

# rpm -ql sudo | grep ldif

Run this tool and create LDIF file.

[root@389-ds tmp]#  perl /usr/share/doc/sudo-1.8.6p7/sudoers2ldif /tmp/sudoers.template | tee sudoers-389.ldif 
dn: cn=defaults,ou=SUDOers,dc=comp,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOrder: 1

dn: cn=root,ou=SUDOers,dc=comp,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2

dn: cn=SYSADMINS,ou=SUDOers,dc=comp,dc=com
objectClass: top
objectClass: sudoRole
sudoUser: zare
sudoUser: milan
sudoUser: alisa
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoOrder: 3

---- shortened ----

dn: cn=SOME_RESTRICTED_HOSTS,ou=SUDOers,dc=comp,dc=com
objectClass: top
objectClass: sudoRole
sudoUser: todorka
sudoUser: ugljesa
sudoHost: kaca-host
sudoHost: kruna-host
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 12

* Import

Add the LDIF file to 389-ds.

[root@389-ds tmp]#  ldapadd  -x  -W -D "cn=Directory Manager" -f sudoers-389.ldif 

Enter LDAP Password:
adding new entry "cn=defaults,ou=SUDOers,dc=comp,dc=com"
adding new entry "cn=root,ou=SUDOers,dc=comp,dc=com"
adding new entry "cn=SYSADMINS,ou=SUDOers,dc=comp,dc=com"
adding new entry "cn=SOME_RESTRICTED_HOSTS,ou=SUDOers,dc=comp,dc=com"
adding new entry "cn=OTHER_ADMINS,ou=SUDOers,dc=comp,dc=com"

* Modification

A LDAP entry can be modified via GUI console and via CLI.
This is the example of deleting 2 users (todorka, ugljesa) from sudo group (SOME_RESTRICTED_HOSTS) via CLI.
Create file /tmp/someedit.ldif that reads:

dn: cn=SOME_RESTRICTED_HOSTS,ou=SUDOers,dc=comp,dc=com
changetype: modify
delete: sudoUser
sudoUser: milan
sudoUser: alisa

Run ldapmodify command:

#  ldapmodify -x  -W -D "cn=Directory Manager" -v -f /tmp/someedit.ldif 
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
delete sudoUser:
modifying entry "cn=BUILD_ADMINS_RESTRICTED_HOSTS,ou=SUDOers,dc=oracle,dc=com"
modify complete

* Client setup

** Oracle/RedHat Linux 6

Things to be done on OL6 LDAP client. The file /etc/nsswitch.conf needs the line:

sudoers: ldap

The file /etc/sudo-ldap.conf should look like:

uri ldap://
sudoers_base ou=SUDOers,dc=comp,dc=com
bind_timelimit 30
timelimit 60
sudoers_debug 1

Testing : This shows account "zare" is only LDAP account on this system.

[root@ldapclient etc]# grep zare /etc/passwd
[root@ldapclient etc]#  getent passwd | grep zare

There is no account 'zare' in the local sudoers file.

# grep zare /etc/sudoers
Account 'zare' SSH and sudo (command: sudo su - ) to Ldap client, and these are lines from /var/log/secure file.

May 27 18:55:23 ldapclient sshd[2443]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.x.x.x  user=zare
May 27 18:55:25 ldapclient sshd[2443]: Accepted password for zare from 10.x.x.x port 64316 ssh2
May 27 18:55:25 ldapclient sshd[2443]: pam_unix(sshd:session): session opened for user zare by (uid=0)
May 27 18:55:31 ldapclient sudo:   zare : TTY=pts/1 ; PWD=/home/zare ; USER=root ; COMMAND=/bin/su -
May 27 18:55:31 ldapclient su: pam_unix(su-l:session): session opened for user root by zare(uid=0)

Back to the main page