[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: centralized sudo policies : ACL issue

On Tuesday, 3 April 2012 16:52:35 Olivier wrote:
> A quite trivial issue I have :
> I have installed centralized policy sudo rules in ldap server
> (I use "schema.OpenLDAP" from "http://www.sudo.ws"; ).
> I also have configured linux clients to check ldap rules to
> grant sudo access to certain ressources ( I declared
> "sudoers_base" in nslcd.conf and "sudoers:    ldap" in
> nsswitch.conf ).
> That works, but I'm still not happy :-)
> To make it work, I need to authorize reading on the sudoers
> DIT branch for user, which I would like to avoid ( BTW, normally
> /etc/sudoers is not readable by users ).
> Anyone knows any way to remove sudo rules reading rights
> to usual users while having rules working for everyone ( I was
> thinking about an ldap proxy user used to read sudo rules in
> ldap, but I haven't found how to declare it ) ?

$ man sudoers.ldap|col -b|grep -A5 ROOTBINDDN
           The ROOTBINDDN parameter specifies the identity, in the form of a
           Distinguished Name (DN), to use when performing privileged LDAP
           operations, such as sudoers queries.  The password corresponding to
           the identity should be stored in /etc/ldap.secret.  If not
           specified, the BINDDN identity is used (if any).

Please check your own sudoers.ldap documentation, paths may differ based on 
compile-time settings (which you can check with sudo -V as root)