Annotation of embedaddon/sudo/README.LDAP, revision 1.1
1.1 ! misho 1: This file explains how to build the optional LDAP functionality of SUDO to
! 2: store /etc/sudoers information. This feature is distinct from LDAP passwords.
! 3:
! 4: For general sudo LDAP configuration details, see the sudoers.ldap manual that
! 5: comes with the sudo distribution. A pre-formatted version of the manual may
! 6: be found in the sudoers.ldap.cat file.
! 7:
! 8: The sudo binary compiled with LDAP support should be totally backward
! 9: compatible and be syntactically and source code equivalent to its
! 10: non LDAP-enabled build.
! 11:
! 12: LDAP philosophy
! 13: ===============
! 14: As times change and servers become cheap, an enterprise can easily have 500+
! 15: UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
! 16: others across an enterprise can greatly reduce the administrative overhead.
! 17:
! 18: In the past, sudo has used a single local configuration file, /etc/sudoers.
! 19: While the same sudoers file can be shared among machines, no built-in
! 20: mechanism exists to distribute it. Some have attempted to workaround this
! 21: by synchronizing changes via CVS/RSYNC/RDIST/RCP/SCP and even NFS.
! 22:
! 23: By using LDAP for sudoers we gain a centrally administered, globally
! 24: available configuration source for sudo.
! 25:
! 26: For information on OpenLDAP, please see http://www.openldap.org/.
! 27:
! 28: Definitions
! 29: ===========
! 30: Many times the word 'Directory' is used in the document to refer to the LDAP
! 31: server, structure and contents.
! 32:
! 33: Many times 'options' are used in this document to refer to sudoer 'defaults'.
! 34: They are one and the same.
! 35:
! 36: Build instructions
! 37: ==================
! 38: The simplest way to build sudo with LDAP support is to include the
! 39: '--with-ldap' option.
! 40:
! 41: $ ./configure --with-ldap
! 42:
! 43: If your ldap libraries and headers are in a non-standard place, you will need
! 44: to specify them at configure time. E.g.
! 45:
! 46: $ ./configure --with-ldap=/usr/local/ldapsdk
! 47:
! 48: Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
! 49: (such as those present in Solaris) are also known to work.
! 50:
! 51: Your mileage may vary. Please let the sudo workers mailing list
! 52: <sudo-workers@sudo.ws> know if special configuration was required
! 53: to build an LDAP-enabled sudo so we can improve sudo.
! 54:
! 55: Schema Changes
! 56: ==============
! 57: You must add the appropriate schema to your LDAP server before it
! 58: can store sudoers content.
! 59:
! 60: For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
! 61: (e.g. /etc/openldap/schema). You must then edit your slapd.conf and
! 62: add an include line the new schema, e.g.
! 63:
! 64: # Sudo LDAP schema
! 65: include /etc/openldap/schema/sudo.schema
! 66:
! 67: In order for sudoRole LDAP queries to be efficient, the server must index
! 68: the attribute 'sudoUser', e.g.
! 69:
! 70: # Indices to maintain
! 71: index sudoUser eq
! 72:
! 73: After making the changes to slapd.conf, restart slapd.
! 74:
! 75: For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
! 76: copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
! 77:
! 78: On Solaris, schemas are stored in /var/Sun/mps/slapd-`hostname`/config/schema/.
! 79: For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
! 80:
! 81: After copying the schema file to the appropriate directory, restart
! 82: the LDAP server.
! 83:
! 84: Finally, using an LDAP browser/editor, enable indexing by editing the
! 85: client profile to provide a Service Search Descriptor (SSD) for sudoers,
! 86: replacing example.com with your domain:
! 87:
! 88: serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
! 89:
! 90: If using an Active Directory server, copy schema.ActiveDirectory
! 91: to your Windows domain controller and run the following command:
! 92:
! 93: ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com
! 94:
! 95: Importing /etc/sudoers into LDAP
! 96: ================================
! 97: Importing sudoers is a two-step process.
! 98:
! 99: Step 1:
! 100: Ask your LDAP Administrator where to create the ou=SUDOers container.
! 101:
! 102: For instance, if using OpenLDAP:
! 103:
! 104: dn: ou=SUDOers,dc=example,dc=com
! 105: objectClass: top
! 106: objectClass: organizationalUnit
! 107: ou: SUDOers
! 108:
! 109: (An example location is shown below). Then use the provided script to convert
! 110: your sudoers file into LDIF format. The script will also convert any default
! 111: options.
! 112:
! 113: # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
! 114: # export SUDOERS_BASE
! 115: # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
! 116:
! 117: Step 2:
! 118: Import into your directory server. The following example is for
! 119: OpenLDAP. If you are using another directory, provide the LDIF
! 120: file to your LDAP Administrator.
! 121:
! 122: # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
! 123: -D cn=Manager,dc=example,dc=com -W -x
! 124:
! 125: Managing LDAP entries
! 126: =====================
! 127: Doing a one-time bulk load of your ldap entries is fine. However what if you
! 128: need to make minor changes on a daily basis? It doesn't make sense to delete
! 129: and re-add objects. (You can, but this is tedious).
! 130:
! 131: I recommend using any of the following LDAP browsers to administer your SUDOers.
! 132: * GQ - The gentleman's LDAP client - Open Source - I use this a lot on Linux
! 133: and since it is Schema aware, I don't need to create a sudoRole template.
! 134: http://biot.com/gq/
! 135:
! 136: * phpQLAdmin - Open Source - phpQLAdmin is an administration tool,
! 137: originally for QmailLDAP, that supports editing sudoRole objects
! 138: in version 2.3.2 and higher.
! 139: http://phpqladmin.com/
! 140:
! 141: * LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
! 142: and Solaris. It runs anywhere in a Java Virtual Machine including
! 143: web pages. You have to make a template from an existing sudoRole entry.
! 144: http://www.iit.edu/~gawojar/ldap
! 145: http://www.mcs.anl.gov/~gawor/ldap
! 146: http://ldapmanager.com
! 147:
! 148: * Apache Directory Studio - Open Source - an Eclipse-based LDAP
! 149: development platform. Includes an LDAP browser, and LDIF editor,
! 150: a schema editor and more.
! 151: http://directory.apache.org/studio
! 152:
! 153: There are dozens of others, some Open Source, some free, some not.
! 154:
! 155: Configure your /etc/ldap.conf and /etc/nsswitch.conf
! 156: ====================================================
! 157: The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
! 158: and other ldap applications and modules. IBM Secureway unfortunately uses
! 159: the same file name but has a different syntax. If you need to change where
! 160: this file is stored, re-run configure with the --with-ldap-conf-file=PATH
! 161: option.
! 162:
! 163: See the "Configuring ldap.conf" section in the sudoers.ldap manual
! 164: for a list of supported ldap.conf parameters and an example ldap.conf
! 165:
! 166: Make sure you sudoers_base matches the location you specified when you
! 167: imported the sudoers ldif data.
! 168:
! 169: After configuring /etc/ldap.conf, you must add a line in /etc/nsswitch.conf
! 170: to tell sudo to look in LDAP for sudoers. See the "Configuring nsswitch.conf"
! 171: section in the sudoers.ldap manual for details. Note that sudo will use
! 172: /etc/nsswitch.conf even if the underlying operating system does not support it.
! 173: To disable nsswitch support, run configure with the --with-nsswitch=no option.
! 174: This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
! 175: ignore_sudoers_file flag is set in the global LDAP options.
! 176:
! 177: Debugging your LDAP configuration
! 178: =================================
! 179: Enable debugging if you believe sudo is not parsing LDAP the way you think it
! 180: should. Setting the 'sudoers_debug' parameter to a value of 1 shows moderate
! 181: debugging. A value of 2 shows the results of the matches themselves. Make
! 182: sure to set the value back to zero so that other users don't get confused by
! 183: the debugging messages.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>