Debian and LDAP for sudo

sudo

I'm on debian and want sudo to use ldap instead of /etc/sudoers. Anyone have exprience doing this?


Solution 1:

Modern sudo has the ability to use ldap. In my opinion, this is clunky and failureprone, but that's just my experience. http://www.gratisoft.us/sudo/readme_ldap.html

I definitely prefer to use netgroups to expand local sudo configs instead of relying completely on ldap. My rule of thumb is, if it's necessary to run the server, it should be local. Only nonvital user accounts, etc go in ldap/nis/whatnot.

Solution 2:

I don't think this is failureprone since you can have a local backup sudoers file, so even if your LDAP server is down you can still use SUDO on it to maintain it and so admins can restore the connexion to the LDAP server.

It is very simple to do, and you will prefer having one centralized sudoers file rather than many local sudoers when you have something like more 100 servers to manage.

In addition look at this, extract from the sudo website :

Using LDAP for sudoers has several benefits:

  • Sudo no longer needs to read sudoers in its entirety. When LDAP is used, there are only two or three LDAP queries per invocation. This makes it especially fast and particularly usable in LDAP environments.

  • Sudo no longer exits if there is a typo in sudoers. It is not possible to load LDAP data into the server that does not conform to the sudoers schema, so proper syntax is guaranteed. It is still possible to have typos in a user or host name, but this will not prevent sudo from running.

  • It is possible to specify per-entry options that override the global default options. /etc/sudoers only supports default options and limited options associated with user/host/commands/aliases. The syntax is complicated and can be difficult for users to understand. Placing the options directly in the entry is more natural.

  • The visudo program is no longer needed. visudo provides locking and syntax checking of the /etc/sudoers file. Since LDAP updates are atomic, locking is no longer necessary. Because syntax is checked when the data is inserted into LDAP, there is no need for a specialized tool to check syntax.

Solution 3:

I was able to compile sudo with the option --with-ldap that allows it to use an LDAP directory. sudo source comes with a schema that can be loaded into LDAP and allow it to use the directory instead of /etc/sudoers

Related

Windows 7 machines won't sync time
Why restricting Apache users from executing scripts?
Users unable to send over SMTP after upgrade to Exchange 2013
can't install ssl certificate on apache
KVM-Guests can't get past bridge - no internet connection
Ubuntu, Fedora, openSUSE comparison
How often does openntpd update the time?
Debian error : edac mc0 internal error
Cloud Computing - Multiple Physical Computers, One Logical Computer
RunAs different user doesn't work :( [closed]
Exceeding the DB size limit on SQL Server Express in READ_ONLY [duplicate]
"Parity Initialization Status: In Progress" for long time