[Date Prev][Date Next]
Re: centralized sudo policies : ACL issue
On Tuesday, 3 April 2012 16:52:35 Olivier wrote:
> A quite trivial issue I have :
> I have installed centralized policy sudo rules in ldap server
> (I use "schema.OpenLDAP" from "http://www.sudo.ws" ).
> I also have configured linux clients to check ldap rules to
> grant sudo access to certain ressources ( I declared
> "sudoers_base" in nslcd.conf and "sudoers: ldap" in
> nsswitch.conf ).
> That works, but I'm still not happy :-)
> To make it work, I need to authorize reading on the sudoers
> DIT branch for user, which I would like to avoid ( BTW, normally
> /etc/sudoers is not readable by users ).
> Anyone knows any way to remove sudo rules reading rights
> to usual users while having rules working for everyone ( I was
> thinking about an ldap proxy user used to read sudo rules in
> ldap, but I haven't found how to declare it ) ?
$ man sudoers.ldap|col -b|grep -A5 ROOTBINDDN
The ROOTBINDDN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
operations, such as sudoers queries. The password corresponding to
the identity should be stored in /etc/ldap.secret. If not
specified, the BINDDN identity is used (if any).
Please check your own sudoers.ldap documentation, paths may differ based on
compile-time settings (which you can check with sudo -V as root)