Adding SUDO to LDAP

LDAP Server Setup

Im running my ldap with gosa as a graphical interface so the first thing is to set up the LDAP server to handle the sudo request from a client.

I already have a running system. If you are looking for help setting up a basic ldap server, Gosa or a client server take a look at the other post in this category.

apt-get install gosa-plugin-sudo gosa-plugin-sudo-schema

service apache2 restart

Then we need to configure a SUDO rule and what commands the user is allowed to execute.

So I will create a new rule

Skærmbillede 2015-05-28 22.11.58And I can look like something like this

Skærmbillede 2015-05-28 22.13.20

  • Name: Give en sudo rule a name that is easy to tell by its name what it does and who it is for.
  • Description: Give the rule a short and more telling description.
  • Add a user or a user group to the rule under “users and groups”
  • Command: What kind of commands is the user or group allowed to execute and is in this case ALL as for admins.
  • Run As: Unsure what this is doing. I need to look into this one a bit more.

Click OK and you are done on the server. Now set up the client servers to request ldap for sudo permissions in next section.

Client preparations

Start by installing the Debian package for sudo ldap support

apt-get install sudo-ldap

Add setup sudo redirection from /etc/sudoers to LDAP by adding an line to the ldap.conf file

Nano /etc/sudo-ldap.conf

Add following to the conf file. ldap.conf and sudo-ldap.conf should be at this moment link symbolic together if not link then afterwards.

sudoers_base ou=SUDOers,dc=kirk,dc=local

Create the symbolic link with if not present

sudo ln -s /etc/ldap.conf /etc/sudo-ldap.conf

Setup nsswitch.conf and add following at the bottom of the conf file

sudoers: ldap

Restart nscd and nslcd and try it out

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.