[BACK]Return to README.LDAP CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / README.LDAP
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Mon Jul 22 10:46:10 2013 UTC (10 years, 11 months ago) by misho
Branches: sudo, MAIN
CVS tags: v1_8_8p0, v1_8_8, v1_8_7p0, v1_8_7, v1_8_5p1, v1_8_3p2, HEAD
1.8.7

    1: This file explains how to build the optional LDAP functionality of SUDO to
    2: store /etc/sudoers information.  This feature is distinct from LDAP passwords.
    3: 
    4: For general sudo LDAP configuration details, see the sudoers.ldap manual that
    5: comes with the sudo distribution.  A pre-formatted version of the manual may
    6: be found in the sudoers.ldap.cat file.
    7: 
    8: The sudo binary compiled with LDAP support should be totally backward
    9: compatible and be syntactically and source code equivalent to its
   10: non LDAP-enabled build.
   11: 
   12: LDAP philosophy
   13: ===============
   14: As times change and servers become cheap, an enterprise can easily have 500+
   15: UNIX servers.  Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
   16: others across an enterprise can greatly reduce the administrative overhead.
   17: 
   18: In the past, sudo has used a single local configuration file, /etc/sudoers.
   19: While the same sudoers file can be shared among machines, no built-in
   20: mechanism exists to distribute it.  Some have attempted to workaround this
   21: by synchronizing changes via CVS/RSYNC/RDIST/RCP/SCP and even NFS.
   22: 
   23: By using LDAP for sudoers we gain a centrally administered, globally
   24: available configuration source for sudo.
   25: 
   26: For information on OpenLDAP, please see http://www.openldap.org/.
   27: 
   28: Definitions
   29: ===========
   30: Many times the word 'Directory' is used in the document to refer to the LDAP
   31: server, structure and contents.
   32: 
   33: Many times 'options' are used in this document to refer to sudoer 'defaults'.
   34: They are one and the same.
   35: 
   36: Build instructions
   37: ==================
   38: The simplest way to build sudo with LDAP support is to include the
   39: '--with-ldap' option.
   40: 
   41:   $ ./configure --with-ldap
   42: 
   43: If your ldap libraries and headers are in a non-standard place, you will need
   44: to specify them at configure time.  E.g.
   45: 
   46:   $ ./configure --with-ldap=/usr/local/ldapsdk
   47: 
   48: Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
   49: (such as those present in Solaris) are also known to work.
   50: 
   51: Your mileage may vary.  Please let the sudo workers mailing list
   52: <sudo-workers@sudo.ws> know if special configuration was required
   53: to build an LDAP-enabled sudo so we can improve sudo.
   54: 
   55: Schema Changes
   56: ==============
   57: You must add the appropriate schema to your LDAP server before it
   58: can store sudoers content.
   59: 
   60: For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
   61: (e.g. /etc/openldap/schema).  You must then edit your slapd.conf and
   62: add an include line the new schema, e.g.
   63: 
   64:     # Sudo LDAP schema
   65:     include	/etc/openldap/schema/sudo.schema
   66: 
   67: In order for sudoRole LDAP queries to be efficient, the server must index
   68: the attribute 'sudoUser', e.g.
   69: 
   70:     # Indices to maintain
   71:     index	sudoUser	eq
   72: 
   73: After making the changes to slapd.conf, restart slapd.
   74: 
   75: For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
   76: copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.
   77: 
   78: On Solaris, schemas are stored in /var/Sun/mps/slapd-`hostname`/config/schema/.
   79: For Fedora Directory Server, they are stored in /etc/dirsrv/schema/.
   80: 
   81: After copying the schema file to the appropriate directory, restart
   82: the LDAP server.
   83: 
   84: Finally, using an LDAP browser/editor, enable indexing by editing the
   85: client profile to provide a Service Search Descriptor (SSD) for sudoers,
   86: replacing example.com with your domain:
   87: 
   88:     serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
   89: 
   90: If using an Active Directory server, copy schema.ActiveDirectory
   91: to your Windows domain controller and run the following command:
   92: 
   93:     ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com
   94: 
   95: Importing /etc/sudoers into LDAP
   96: ================================
   97: Importing sudoers is a two-step process.
   98: 
   99: Step 1:
  100: Ask your LDAP Administrator where to create the ou=SUDOers container.
  101: 
  102: For instance, if using OpenLDAP:
  103: 
  104:   dn: ou=SUDOers,dc=example,dc=com
  105:   objectClass: top
  106:   objectClass: organizationalUnit
  107:   ou: SUDOers
  108: 
  109: (An example location is shown below).  Then use the provided script to convert
  110: your sudoers file into LDIF format.  The script will also convert any default
  111: options.
  112: 
  113:   # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
  114:   # export SUDOERS_BASE
  115:   # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
  116: 
  117: Step 2:
  118: Import into your directory server.  The following example is for
  119: OpenLDAP.  If you are using another directory, provide the LDIF
  120: file to your LDAP Administrator.
  121: 
  122:   # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
  123:     -D cn=Manager,dc=example,dc=com -W -x
  124: 
  125: Managing LDAP entries
  126: =====================
  127: Doing a one-time bulk load of your ldap entries is fine.  However what if you
  128: need to make minor changes on a daily basis?  It doesn't make sense to delete
  129: and re-add objects.  (You can, but this is tedious).
  130: 
  131: I recommend using any of the following LDAP browsers to administer your SUDOers.
  132:   * GQ - The gentleman's LDAP client - Open Source - I use this a lot on Linux
  133:     and since it is Schema aware, I don't need to create a sudoRole template.
  134: 	http://biot.com/gq/
  135: 
  136:   * phpQLAdmin - Open Source - phpQLAdmin is an administration tool,
  137:     originally for QmailLDAP, that supports editing sudoRole objects
  138:     in version 2.3.2 and higher.
  139: 	http://phpqladmin.com/
  140: 
  141:   * LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
  142:     and Solaris.  It runs anywhere in a Java Virtual Machine including
  143:     web pages.  You have to make a template from an existing sudoRole entry.
  144: 	http://www.iit.edu/~gawojar/ldap
  145: 	http://www.mcs.anl.gov/~gawor/ldap
  146: 	http://ldapmanager.com
  147: 
  148:   * Apache Directory Studio - Open Source - an Eclipse-based LDAP
  149:     development platform.  Includes an LDAP browser, and LDIF editor,
  150:     a schema editor and more.
  151:     http://directory.apache.org/studio
  152: 
  153:   There are dozens of others, some Open Source, some free, some not.
  154: 
  155: Configure your /etc/ldap.conf and /etc/nsswitch.conf
  156: ====================================================
  157: The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
  158: and other ldap applications and modules.  IBM Secureway unfortunately uses
  159: the same file name but has a different syntax.  If you need to change where
  160: this file is stored, re-run configure with the --with-ldap-conf-file=PATH
  161: option.
  162: 
  163: See the "Configuring ldap.conf" section in the sudoers.ldap manual
  164: for a list of supported ldap.conf parameters and an example ldap.conf
  165: 
  166: Make sure you sudoers_base matches the location you specified when you
  167: imported the sudoers ldif data.
  168: 
  169: After configuring /etc/ldap.conf, you must add a line in /etc/nsswitch.conf
  170: to tell sudo to look in LDAP for sudoers.  See the "Configuring nsswitch.conf"
  171: section in the sudoers.ldap manual for details.  Note that sudo will use
  172: /etc/nsswitch.conf even if the underlying operating system does not support it.
  173: To disable nsswitch support, run configure with the --with-nsswitch=no option.
  174: This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
  175: ignore_sudoers_file flag is set in the global LDAP options.
  176: 
  177: Debugging your LDAP configuration
  178: =================================
  179: Enable debugging if you believe sudo is not parsing LDAP the way you think it
  180: should.  Setting the 'sudoers_debug' parameter to a value of 1 shows moderate
  181: debugging.  A value of 2 shows the results of the matches themselves.  Make
  182: sure to set the value back to zero so that other users don't get confused by
  183: the debugging messages.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>