OpenLDAP/sudo

From Secure Computing Wiki
Revision as of 13:15, 29 July 2008 by 74.95.66.25 (talk) (port install and config)
Jump to navigation Jump to search

This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.

This is a work in progress. DO NOT FOLLOW THIS UNTIL IT'S FINISHED!!!!!!!!!

SUDO

For this setup, I've got 1.6.9.17 with LDAP and INSULTS enabled. You can get this installed with the following:

# cd /usr/ports/security/sudo && make clean deinstall && make -DWITH_INSULTS -DWITH_LDAP reinstall

PAM Config

Edit the /etc/pam.d/system file to read as follows:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

ldap.conf

Add the following lines to your /usr/local/etc/ldap.conf file:

# SUDO Configuration
sudoers_base ou=SUDOers,dc=claimlynx,dc=com