LDAP for internet project. Part 5
Hello! Today, I am completing a series of articles on the implementation of OpenLDAP ( one , two , three , four ), and will talk about storing sudoers in LDAP.
LDAP support is built into sudo itself, so pam modules won't help us here. On Debian, you need to install the sudo-ldap package:
Among others, the package will install a file with the LDAP scheme we need:
After that, objects of the sudoRole class with sudoCommand, sudoHost, sudoRunAs, sudoUser, and sudoOption fields will be available to us.
sudo searches for sudoRole objects using the settings in the /etc/ldap/ldap.conf file:
If you put debug 2, then after running the sudo command, a listing of the objects and matches that sudo found in the LDAP will be displayed.
But so far we have not a single object, let's do it.
I have already created a container ou = servers, dc = habr, dc = ru in which I store server containers with objects of the type groupOfUniqueNames; they contain links to users who have access to the server, for example,
cn = shell-users, ou = dev.habr.ru, ou = servers, dc = habr, dc = en
To store data for sudo, I made a container ou = sudoers, ou = dev.habr.ru, ou = servers, dc = habr, dc = ru in which I have stored objects of the sudoRole class. For example:
')
Or such:
For admins I have a separate container “groupOfUniqueNames” cn = admins, ou = global, ou = servers, dc = habr, dc = ru
And separate sudoers:
There is also an object with default settings:
Now you can try sudo!
I will be happy to answer your questions in the comments or in the LAN.
LDAP support is built into sudo itself, so pam modules won't help us here. On Debian, you need to install the sudo-ldap package:
apt-get install sudo-ldapAmong others, the package will install a file with the LDAP scheme we need:
/usr/share/doc/sudo-ldap/schema.OpenLDAP , which must be copied to both LDAP servers and written in the /etc/ldap/slapd.conf file among other people:include /etc/ldap/schema/sudo.schemaAfter that, objects of the sudoRole class with sudoCommand, sudoHost, sudoRunAs, sudoUser, and sudoOption fields will be available to us.
sudo searches for sudoRole objects using the settings in the /etc/ldap/ldap.conf file:
uri ldap://ldap.habr.ru
sudoers_base ou=servers,dc=habr,dc=ru
sudoers_debug 0
If you put debug 2, then after running the sudo command, a listing of the objects and matches that sudo found in the LDAP will be displayed.
But so far we have not a single object, let's do it.
I have already created a container ou = servers, dc = habr, dc = ru in which I store server containers with objects of the type groupOfUniqueNames; they contain links to users who have access to the server, for example,
cn = shell-users, ou = dev.habr.ru, ou = servers, dc = habr, dc = en
To store data for sudo, I made a container ou = sudoers, ou = dev.habr.ru, ou = servers, dc = habr, dc = ru in which I have stored objects of the sudoRole class. For example:
dn: cn=%www-data,ou=sudoers,ou=dev.habr.ru,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: %www-data
sudoCommand: ALL
sudoHost: dev.habr.ru
sudoRunAs: www-data
sudoUser: %www-data
')
Or such:
dn: cn=developers,ou=sudoers,ou=dev.habr.ru,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: developers
sudoCommand: ALL
sudoRunAs: ALL
sudoHost: dev.habr.ru
sudoUser: dev0
sudoUser: dev1
sudoUser: dev2
For admins I have a separate container “groupOfUniqueNames” cn = admins, ou = global, ou = servers, dc = habr, dc = ru
And separate sudoers:
dn: cn=admins,ou=sudoers,ou=global,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: admins
sudoCommand: ALL
sudoRunAs: ALL
sudoHost: ALL
sudoUser: admin0
sudoUser: admin1
sudoUser: admin2
There is also an object with default settings:
dn: cn=defaults,ou=sudoers,ou=global,ou=servers,dc=habr,dc=ru
objectClass: sudoRole
objectClass: top
cn: defaults
sudoOption: ignore_local_sudoers
sudoOption: env_reset
Now you can try sudo!
I will be happy to answer your questions in the comments or in the LAN.
Source: https://habr.com/ru/post/58028/
All Articles