OpenLDAP/sudo

From Secure Computing Wiki
Revision as of 18:56, 23 November 2010 by Esubiguxoc (Talk | contribs)

Jump to: navigation, search


UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY


CLICK HERE


This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.

OpenLDAP Schema

You should have already followed the instructions at OpenLDAP, installed the sudo schema as mentioned there. If you have not done this, do so now.

Sample SUDO LDAP Entry

The following sample entry will setup a defaults section and create an entry for all members of the admins group to have sudo access. <pre># SUDOers, example.com dn: ou=SUDOers,dc=example,dc=com objectClass: top objectClass: organizationalUnit description: SUDO Configuration Subtree ou: SUDOers

  1. defaults, SUDOers, example.com

dn: cn=defaults,ou=SUDOers,dc=example,dc=com cn: defaults sudoOption: ignore_dot sudoOption: !mail_no_user sudoOption: !root_sudo sudoOption: log_host sudoOption: logfile=/var/log/sudolog sudoOption: !syslog sudoOption: timestamp_timeout=10 sudoOption: ignore_local_sudoers objectClass: top objectClass: sudoRole description: Default sudoOptions

  1. admins, SUDOers, example.com

dn: cn=admins,ou=SUDOers,dc=example,dc=com cn: admins objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoUser: ecrist sudoUser: testuser description: Allowed access to all sudo commands for admins. </pre>

SUDO

For this setup, I've got 1.6.9.17 with LDAP and INSULTS enabled. You can get this installed with the following: <pre>

  1. cd /usr/ports/security/sudo && make clean deinstall && make -DWITH_INSULTS -DWITH_LDAP reinstall

</pre>

PAM Config

Edit the /etc/pam.d/system file to read as follows: <pre># auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local

  1. auth sufficient pam_krb5.so no_warn try_first_pass
  2. auth sufficient pam_ssh.so no_warn try_first_pass

auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok

  1. account
  2. account required pam_krb5.so

account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_login_access.so account required pam_unix.so

  1. session
  2. session optional pam_ssh.so

session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail

  1. password
  2. password sufficient pam_krb5.so no_warn try_first_pass

password required pam_unix.so no_warn try_first_pass</pre>

ldap.conf

Add the following lines to your /usr/local/etc/ldap.conf file:

<pre># SUDO Configuration sudoers_base ou=SUDOers,dc=example,dc=com</pre>