Creating user accounts on Computers using LDAP

Scenario is , I have a LAN in which there are number of computers running linux that are connected with local network, Can i create account on different Computer over this network and give them sudo rights using LDAP?


Solution 1:

If you don't have LDAP servers set up, you'll need to do that first. Common options are OpenLDAP and 389 Server.

Once those are set up, you need to choose a schema for users' entries. Probably the most popular schema for Linux/UNIX systems is "POSIX" schema. The entries you put in LDAP contain the same information you find in /etc/passwd and /etc/group. With POSIX schema, objectClass: posixAccount and objectClass: posixGroup indicate user and group items, respectively.

There is also an objectClass for sudoers entries, sudoRole. The sudoers.ldap(5) man page has information on those entries.

With those set up, you need to configure your machines to look to LDAP for user and sudo information. On most modern, popular Linux distributions, that is done by configuring sssd, and it's LDAP extensions. You'll need to add a "domain" in the sssd.conf file, which will specify where to find your users and sudo entries in LDAP. sssd.conf(5), sssd-sudo(5), and sssd-ldap(5) man pages detail how to set up SSSD.

Assuming everything is set up correctly, you should be able to run id LDAPUSER (replacing LDAPUSER with a username on an entry in LDAP) and get user information back. Also, check that sudo works for the sudo roles you put in LDAP like you would check any other sudo rule.