Difference between revisions of "OpenLDAP/sudo"

From Secure Computing Wiki
Jump to: navigation, search
m (Reverted edits by Esubiguxoc (talk) to last revision by Ecrist)
(One intermediate revision by one other user not shown)
(No difference)

Latest revision as of 17:41, 26 November 2010

This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.

OpenLDAP Schema

You should have already followed the instructions at OpenLDAP, installed the sudo schema as mentioned there. If you have not done this, do so now.

Sample SUDO LDAP Entry

The following sample entry will setup a defaults section and create an entry for all members of the admins group to have sudo access.

# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
description: SUDO Configuration Subtree
ou: SUDOers

# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
cn: defaults
sudoOption: ignore_dot
sudoOption: !mail_no_user
sudoOption: !root_sudo
sudoOption: log_host
sudoOption: logfile=/var/log/sudolog
sudoOption: !syslog
sudoOption: timestamp_timeout=10
sudoOption: ignore_local_sudoers
objectClass: top
objectClass: sudoRole
description: Default sudoOptions

# admins, SUDOers, example.com
dn: cn=admins,ou=SUDOers,dc=example,dc=com
cn: admins
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ecrist
sudoUser: testuser
description: Allowed access to all sudo commands for admins.


For this setup, I've got with LDAP and INSULTS enabled. You can get this installed with the following:

# cd /usr/ports/security/sudo && make clean deinstall && make -DWITH_INSULTS -DWITH_LDAP reinstall

PAM Config

Edit the /etc/pam.d/system file to read as follows:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass


Add the following lines to your /usr/local/etc/ldap.conf file:

# SUDO Configuration
sudoers_base ou=SUDOers,dc=example,dc=com