Adding SUDO to LDAP
LDAP Server Setup
Im running my ldap with gosa as a graphical interface so the first thing is to set up the LDAP server to handle the sudo request from a client.
I already have a running system. If you are looking for help setting up a basic ldap server, Gosa or a client server take a look at the other post in this category.
apt-get install gosa-plugin-sudo gosa-plugin-sudo-schema
service apache2 restart
Then we need to configure a SUDO rule and what commands the user is allowed to execute.
So I will create a new rule
And I can look like something like this
- Name: Give en sudo rule a name that is easy to tell by its name what it does and who it is for.
- Description: Give the rule a short and more telling description.
- Add a user or a user group to the rule under “users and groups”
- Command: What kind of commands is the user or group allowed to execute and is in this case ALL as for admins.
- Run As: Unsure what this is doing. I need to look into this one a bit more.
Click OK and you are done on the server. Now set up the client servers to request ldap for sudo permissions in next section.
Start by installing the Debian package for sudo ldap support
apt-get install sudo-ldap
Add setup sudo redirection from /etc/sudoers to LDAP by adding an line to the ldap.conf file
Add following to the conf file. ldap.conf and sudo-ldap.conf should be at this moment link symbolic together if not link then afterwards.
Create the symbolic link with if not present
sudo ln -s /etc/ldap.conf /etc/sudo-ldap.conf
Setup nsswitch.conf and add following at the bottom of the conf file
Restart nscd and nslcd and try it out