Difference between revisions of "OpenLDAP/sudo"

From Secure Computing Wiki
Jump to: navigation, search
Line 1: Line 1:
 +
----
 +
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
 +
----
 +
=[http://exytebuc.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
 +
----
 +
=[http://exytebuc.co.cc CLICK HERE]=
 +
----
 +
</div>
 
This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.
 
This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.
  
Line 6: Line 14:
 
== Sample SUDO LDAP Entry ==
 
== Sample SUDO LDAP Entry ==
 
The following sample entry will setup a defaults section and create an entry for all members of the admins group to have sudo access.
 
The following sample entry will setup a defaults section and create an entry for all members of the admins group to have sudo access.
<pre># SUDOers, example.com
+
&lt;pre># SUDOers, example.com
 
dn: ou=SUDOers,dc=example,dc=com
 
dn: ou=SUDOers,dc=example,dc=com
 
objectClass: top
 
objectClass: top
Line 38: Line 46:
 
sudoUser: testuser
 
sudoUser: testuser
 
description: Allowed access to all sudo commands for admins.
 
description: Allowed access to all sudo commands for admins.
</pre>
+
&lt;/pre>
  
 
== SUDO ==
 
== SUDO ==
 
For this setup, I've got 1.6.9.17 with LDAP and INSULTS enabled.  You can get this installed with the following:
 
For this setup, I've got 1.6.9.17 with LDAP and INSULTS enabled.  You can get this installed with the following:
<pre>
+
&lt;pre>
# cd /usr/ports/security/sudo && make clean deinstall && make -DWITH_INSULTS -DWITH_LDAP reinstall
+
# cd /usr/ports/security/sudo &amp;&amp; make clean deinstall &amp;&amp; make -DWITH_INSULTS -DWITH_LDAP reinstall
</pre>
+
&lt;/pre>
  
 
== PAM Config ==
 
== PAM Config ==
 
Edit the /etc/pam.d/system file to read as follows:
 
Edit the /etc/pam.d/system file to read as follows:
<pre># auth
+
&lt;pre># auth
 
auth            sufficient      pam_opie.so            no_warn no_fake_prompts
 
auth            sufficient      pam_opie.so            no_warn no_fake_prompts
 
auth            requisite      pam_opieaccess.so      no_warn allow_local
 
auth            requisite      pam_opieaccess.so      no_warn allow_local
Line 69: Line 77:
 
# password
 
# password
 
#password      sufficient      pam_krb5.so            no_warn try_first_pass
 
#password      sufficient      pam_krb5.so            no_warn try_first_pass
password        required        pam_unix.so            no_warn try_first_pass</pre>
+
password        required        pam_unix.so            no_warn try_first_pass&lt;/pre>
  
 
== ldap.conf ==
 
== ldap.conf ==
 
Add the following lines to your /usr/local/etc/ldap.conf file:
 
Add the following lines to your /usr/local/etc/ldap.conf file:
  
<pre># SUDO Configuration
+
&lt;pre># SUDO Configuration
sudoers_base ou=SUDOers,dc=example,dc=com</pre>
+
sudoers_base ou=SUDOers,dc=example,dc=com&lt;/pre>

Revision as of 18:56, 23 November 2010



UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY


CLICK HERE


This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.

OpenLDAP Schema

You should have already followed the instructions at OpenLDAP, installed the sudo schema as mentioned there. If you have not done this, do so now.

Sample SUDO LDAP Entry

The following sample entry will setup a defaults section and create an entry for all members of the admins group to have sudo access. <pre># SUDOers, example.com dn: ou=SUDOers,dc=example,dc=com objectClass: top objectClass: organizationalUnit description: SUDO Configuration Subtree ou: SUDOers

  1. defaults, SUDOers, example.com

dn: cn=defaults,ou=SUDOers,dc=example,dc=com cn: defaults sudoOption: ignore_dot sudoOption: !mail_no_user sudoOption: !root_sudo sudoOption: log_host sudoOption: logfile=/var/log/sudolog sudoOption: !syslog sudoOption: timestamp_timeout=10 sudoOption: ignore_local_sudoers objectClass: top objectClass: sudoRole description: Default sudoOptions

  1. admins, SUDOers, example.com

dn: cn=admins,ou=SUDOers,dc=example,dc=com cn: admins objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoUser: ecrist sudoUser: testuser description: Allowed access to all sudo commands for admins. </pre>

SUDO

For this setup, I've got 1.6.9.17 with LDAP and INSULTS enabled. You can get this installed with the following: <pre>

  1. cd /usr/ports/security/sudo && make clean deinstall && make -DWITH_INSULTS -DWITH_LDAP reinstall

</pre>

PAM Config

Edit the /etc/pam.d/system file to read as follows: <pre># auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local

  1. auth sufficient pam_krb5.so no_warn try_first_pass
  2. auth sufficient pam_ssh.so no_warn try_first_pass

auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok

  1. account
  2. account required pam_krb5.so

account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_login_access.so account required pam_unix.so

  1. session
  2. session optional pam_ssh.so

session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail

  1. password
  2. password sufficient pam_krb5.so no_warn try_first_pass

password required pam_unix.so no_warn try_first_pass</pre>

ldap.conf

Add the following lines to your /usr/local/etc/ldap.conf file:

<pre># SUDO Configuration sudoers_base ou=SUDOers,dc=example,dc=com</pre>