FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-09-2008, 08:39 PM
"Kashif Ali"
 
Default Sudo and Ldap

Hello all,

I have successfully setup FDS on Centos 5.2, and manage to get users signing on without any issues. However if I edit the sudoers file to allow a group on ldap use sudo, the sudo command does not see the members of the group or I think the group itself?


I have no idea why this is:

if I run the command 'id' as the given user you can clear see the group memberships, however if I do: getent group linuxops I see:

linuxops:*:6000:

with no members??? however SSHD AllowGroups works? I have configured sshd to only allow members of the linxops group to login and this works fine? so my question is why is sudo behaving differently?


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-09-2008, 08:43 PM
"Aaron Bliss"
 
Default Sudo and Ldap

Kashif,


Make
sure you have defined the group in ldap and added the posix attributes and
object class to the group.* At a bare minimum, you’ll need the top,
groupofuniquenames and posixgroup objecclassess.


*


Aaron


*




From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Kashif
Ali

Sent: Tuesday, September 09, 2008 4:39 PM

To: Fedora-directory-users@redhat.com

Subject: [Fedora-directory-users] Sudo and Ldap




*




Hello all,



I have successfully setup FDS on Centos 5.2, and manage to get users signing on
without any issues. However if I edit the sudoers file to allow a group on ldap
use sudo, the sudo command does not see the members of the group or I think the
group itself?



I have no idea why this is:



if I run the command 'id' as the given user you can clear see the group
memberships, however if I do: getent group linuxops I see:



linuxops:*:6000:



with no members??? however SSHD AllowGroups works? I have configured sshd to
only allow members of the linxops group to login and this works fine? so my
question is why is sudo behaving differently?









--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-09-2008, 08:54 PM
"Kashif Ali"
 
Default Sudo and Ldap

when you say add sudo base? are you talking about ldif file?

Is there no way to continue to use the original ldif file?


2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>

Redhat sudo doesn't support ldap, recompile it with ldap support and add

the sudoers base to /etc/ldap.conf and it should work then, annoying!



Cheers



Malcolm



On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:

> Hello all,

>

> I have successfully setup FDS on Centos 5.2, and manage to get users

> signing on without any issues. However if I edit the sudoers file to

> allow a group on ldap use sudo, the sudo command does not see the

> members of the group or I think the group itself?

>

> I have no idea why this is:

>

> if I run the command 'id' as the given user you can clear see the

> group memberships, however if I do: getent group linuxops I see:

>

> linuxops:*:6000:

>

> with no members??? however SSHD AllowGroups works? I have configured

> sshd to only allow members of the linxops group to login and this

> works fine? so my question is why is sudo behaving differently?

>

> --

> Fedora-directory-users mailing list

> Fedora-directory-users@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-directory-users



--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-09-2008, 09:42 PM
"Kashif Ali"
 
Default Sudo and Ldap

i believe in centos 5.x and redhat they have ldap suppor built in:

http://kbase.redhat.com/faq/FAQ_80_12975.shtm

I am not sure how to include ldif file in the directory server, and also once its included how to manage the sudoers?


let me give you some more background on the environmnt:

we have the following environments:

Production
Staging
Test
Load Testing
Development

Each of the environments have various number of servers ranging from 30 and goign upto 150+.


we have three main categories of users

Linuxops = Linux Sys admins
SuperUsers = Developers who have sudo rights (ALL) on dev/load test environments, but only for less, cat, more, command for Test/Staging/Production environments (this is mainly for log and config file viewing).

Dev = Developers who have full sudo rights on development and only access development environment


I am restricting access to each environemnt via SSHD_CONFIG variable allow groups. I have the following groups


linuxops
prodlogs
staginglog
testlogs
ltlogs
dev

What I would need is to someone configure ldap with sudo, so that if you were in the correct groups you can login to which ever environment and have the correct privilages.


The problem I Will have is with superusers. They would be members of the dev group (so have all rights on dev env) but then I would be added to prodlogs etc... so they have restricted sudo on prod. However since there would only be one sudo file in ldap, sshd would let them logon to production server via prodlogs group, and sudo would find the dev group and give them full rights!!!!


I would appreciate any advice in configuring this setup, currently I have written a wiki to cover the installation of Centos/fedora DS* and configure it for central authentication with Shared home directories, this would be the final icing on the cake if I could get it working:


Please have a look at the following link to get the idea of what I have done to get ldap up and running:

http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server



What I really need help is would sudo under ldap in the above scenario. I hope I have given enough information, if you require more information please just say I will provide ASAP.

Regards

Kashif




2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>

This is how I've always done it:



I usually just pull the src.rpm and add ldap in the .spec file,

recompile then I can add it to standard build image / kickstart



Then add something like:

sudoers_base * ou=SUDOers,dc=example,dc=com



to /etc/ldap.conf and that should be it





Cheers,



Malcolm



On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote:

> when you say add sudo base? are you talking about ldif file?

>

> Is there no way to continue to use the original ldif file?

>

>

> 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>

> * * * * Redhat sudo doesn't support ldap, recompile it with ldap

> * * * * support and add

> * * * * the sudoers base to /etc/ldap.conf and it should work then,

> * * * * annoying!

>

> * * * * Cheers

>

> * * * * Malcolm

>

>

> * * * * On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:

> * * * * > Hello all,

> * * * * >

> * * * * > I have successfully setup FDS on Centos 5.2, and manage to

> * * * * get users

> * * * * > signing on without any issues. However if I edit the sudoers

> * * * * file to

> * * * * > allow a group on ldap use sudo, the sudo command does not

> * * * * see the

> * * * * > members of the group or I think the group itself?

> * * * * >

> * * * * > I have no idea why this is:

> * * * * >

> * * * * > if I run the command 'id' as the given user you can clear

> * * * * see the

> * * * * > group memberships, however if I do: getent group linuxops I

> * * * * see:

> * * * * >

> * * * * > linuxops:*:6000:

> * * * * >

> * * * * > with no members??? however SSHD AllowGroups works? I have

> * * * * configured

> * * * * > sshd to only allow members of the linxops group to login and

> * * * * this

> * * * * > works fine? so my question is why is sudo behaving

> * * * * differently?

> * * * * >

>

> * * * * > --

> * * * * > Fedora-directory-users mailing list

> * * * * > Fedora-directory-users@redhat.com

> * * * * >

> * * * * https://www.redhat.com/mailman/listinfo/fedora-directory-users

>

> * * * * --

> * * * * Fedora-directory-users mailing list

> * * * * Fedora-directory-users@redhat.com

> * * * * https://www.redhat.com/mailman/listinfo/fedora-directory-users

>

>

> --

> Fedora-directory-users mailing list

> Fedora-directory-users@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-directory-users



--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-09-2008, 09:42 PM
Malcolm Amir Hussain-Gambles
 
Default Sudo and Ldap

Redhat sudo doesn't support ldap, recompile it with ldap support and add
the sudoers base to /etc/ldap.conf and it should work then, annoying!

Cheers

Malcolm

On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:
> Hello all,
>
> I have successfully setup FDS on Centos 5.2, and manage to get users
> signing on without any issues. However if I edit the sudoers file to
> allow a group on ldap use sudo, the sudo command does not see the
> members of the group or I think the group itself?
>
> I have no idea why this is:
>
> if I run the command 'id' as the given user you can clear see the
> group memberships, however if I do: getent group linuxops I see:
>
> linuxops:*:6000:
>
> with no members??? however SSHD AllowGroups works? I have configured
> sshd to only allow members of the linxops group to login and this
> works fine? so my question is why is sudo behaving differently?
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-09-2008, 10:06 PM
Malcolm Amir Hussain-Gambles
 
Default Sudo and Ldap

This is how I've always done it:

I usually just pull the src.rpm and add ldap in the .spec file,
recompile then I can add it to standard build image / kickstart

Then add something like:
sudoers_base ou=SUDOers,dc=example,dc=com

to /etc/ldap.conf and that should be it


Cheers,

Malcolm

On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote:
> when you say add sudo base? are you talking about ldif file?
>
> Is there no way to continue to use the original ldif file?
>
>
> 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>
> Redhat sudo doesn't support ldap, recompile it with ldap
> support and add
> the sudoers base to /etc/ldap.conf and it should work then,
> annoying!
>
> Cheers
>
> Malcolm
>
>
> On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:
> > Hello all,
> >
> > I have successfully setup FDS on Centos 5.2, and manage to
> get users
> > signing on without any issues. However if I edit the sudoers
> file to
> > allow a group on ldap use sudo, the sudo command does not
> see the
> > members of the group or I think the group itself?
> >
> > I have no idea why this is:
> >
> > if I run the command 'id' as the given user you can clear
> see the
> > group memberships, however if I do: getent group linuxops I
> see:
> >
> > linuxops:*:6000:
> >
> > with no members??? however SSHD AllowGroups works? I have
> configured
> > sshd to only allow members of the linxops group to login and
> this
> > works fine? so my question is why is sudo behaving
> differently?
> >
>
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> >
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-10-2008, 06:17 AM
"Kashif Ali"
 
Default Sudo and Ldap

I have a quick work around currently, what you can do is create a local group and add ldap user to the local group. Sudo will accept the group including users.

sudo will also accept a list of users from ldap, it just doesnt acknowledge members for groups in FDS?




2008/9/9 Kashif Ali <snake007uk@gmail.com>

i believe in centos 5.x and redhat they have ldap suppor built in:

http://kbase.redhat.com/faq/FAQ_80_12975.shtm

I am not sure how to include ldif file in the directory server, and also once its included how to manage the sudoers?



let me give you some more background on the environmnt:

we have the following environments:

Production
Staging
Test
Load Testing
Development

Each of the environments have various number of servers ranging from 30 and goign upto 150+.



we have three main categories of users

Linuxops = Linux Sys admins
SuperUsers = Developers who have sudo rights (ALL) on dev/load test environments, but only for less, cat, more, command for Test/Staging/Production environments (this is mainly for log and config file viewing).


Dev = Developers who have full sudo rights on development and only access development environment


I am restricting access to each environemnt via SSHD_CONFIG variable allow groups. I have the following groups



linuxops
prodlogs
staginglog
testlogs
ltlogs
dev

What I would need is to someone configure ldap with sudo, so that if you were in the correct groups you can login to which ever environment and have the correct privilages.



The problem I Will have is with superusers. They would be members of the dev group (so have all rights on dev env) but then I would be added to prodlogs etc... so they have restricted sudo on prod. However since there would only be one sudo file in ldap, sshd would let them logon to production server via prodlogs group, and sudo would find the dev group and give them full rights!!!!



I would appreciate any advice in configuring this setup, currently I have written a wiki to cover the installation of Centos/fedora DS* and configure it for central authentication with Shared home directories, this would be the final icing on the cake if I could get it working:



Please have a look at the following link to get the idea of what I have done to get ldap up and running:

http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server




What I really need help is would sudo under ldap in the above scenario. I hope I have given enough information, if you require more information please just say I will provide ASAP.

Regards


Kashif




2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>


This is how I've always done it:



I usually just pull the src.rpm and add ldap in the .spec file,

recompile then I can add it to standard build image / kickstart



Then add something like:

sudoers_base * ou=SUDOers,dc=example,dc=com



to /etc/ldap.conf and that should be it





Cheers,



Malcolm



On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote:

> when you say add sudo base? are you talking about ldif file?

>

> Is there no way to continue to use the original ldif file?

>

>

> 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>

> * * * * Redhat sudo doesn't support ldap, recompile it with ldap

> * * * * support and add

> * * * * the sudoers base to /etc/ldap.conf and it should work then,

> * * * * annoying!

>

> * * * * Cheers

>

> * * * * Malcolm

>

>

> * * * * On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:

> * * * * > Hello all,

> * * * * >

> * * * * > I have successfully setup FDS on Centos 5.2, and manage to

> * * * * get users

> * * * * > signing on without any issues. However if I edit the sudoers

> * * * * file to

> * * * * > allow a group on ldap use sudo, the sudo command does not

> * * * * see the

> * * * * > members of the group or I think the group itself?

> * * * * >

> * * * * > I have no idea why this is:

> * * * * >

> * * * * > if I run the command 'id' as the given user you can clear

> * * * * see the

> * * * * > group memberships, however if I do: getent group linuxops I

> * * * * see:

> * * * * >

> * * * * > linuxops:*:6000:

> * * * * >

> * * * * > with no members??? however SSHD AllowGroups works? I have

> * * * * configured

> * * * * > sshd to only allow members of the linxops group to login and

> * * * * this

> * * * * > works fine? so my question is why is sudo behaving

> * * * * differently?

> * * * * >

>

> * * * * > --

> * * * * > Fedora-directory-users mailing list

> * * * * > Fedora-directory-users@redhat.com

> * * * * >

> * * * * https://www.redhat.com/mailman/listinfo/fedora-directory-users

>

> * * * * --

> * * * * Fedora-directory-users mailing list

> * * * * Fedora-directory-users@redhat.com

> * * * * https://www.redhat.com/mailman/listinfo/fedora-directory-users

>

>

> --

> Fedora-directory-users mailing list

> Fedora-directory-users@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-directory-users



--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users





--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-10-2008, 08:33 AM
Jonathan Barber
 
Default Sudo and Ldap

On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote:
> Redhat sudo doesn't support ldap, recompile it with ldap support and add
> the sudoers base to /etc/ldap.conf and it should work then, annoying!

I don't know about RHEL5, but centos 5.2 does:

[root@pirez ~]# rpm -q centos-release
centos-release-5-2.el5.centos
[root@pirez ~]# rpm -q sudo
sudo-1.6.8p12-12.el5
[root@pirez ~]# ldd $(type -p sudo) | grep ldap
libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000)

And I believe it's been present for all the 5.0 series.

> Cheers
>
> Malcolm
>
> On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:
> > Hello all,
> >
> > I have successfully setup FDS on Centos 5.2, and manage to get users
> > signing on without any issues. However if I edit the sudoers file to
> > allow a group on ldap use sudo, the sudo command does not see the
> > members of the group or I think the group itself?
> >
> > I have no idea why this is:
> >
> > if I run the command 'id' as the given user you can clear see the
> > group memberships, however if I do: getent group linuxops I see:
> >
> > linuxops:*:6000:
> >
> > with no members??? however SSHD AllowGroups works? I have configured
> > sshd to only allow members of the linxops group to login and this
> > works fine? so my question is why is sudo behaving differently?
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-10-2008, 08:53 AM
Jonathan Barber
 
Default Sudo and Ldap

On Tue, Sep 09, 2008 at 10:42:06PM +0100, Kashif Ali wrote:
> i believe in centos 5.x and redhat they have ldap suppor built in:
>
> http://kbase.redhat.com/faq/FAQ_80_12975.shtm
>
> I am not sure how to include ldif file in the directory server, and also
> once its included how to manage the sudoers?
>
> let me give you some more background on the environmnt:
>
> we have the following environments:
>
> Production
> Staging
> Test
> Load Testing
> Development
>
> Each of the environments have various number of servers ranging from 30 and
> goign upto 150+.
>
> we have three main categories of users
>
> Linuxops = Linux Sys admins
> SuperUsers = Developers who have sudo rights (ALL) on dev/load test
> environments, but only for less, cat, more, command for
> Test/Staging/Production environments (this is mainly for log and config file
> viewing).
> Dev = Developers who have full sudo rights on development and only access
> development environment
>
>
> I am restricting access to each environemnt via SSHD_CONFIG variable allow
> groups. I have the following groups
>
> linuxops
> prodlogs
> staginglog
> testlogs
> ltlogs
> dev
>
> What I would need is to someone configure ldap with sudo, so that if you
> were in the correct groups you can login to which ever environment and have
> the correct privilages.
>
> The problem I Will have is with superusers. They would be members of the dev
> group (so have all rights on dev env) but then I would be added to prodlogs
> etc... so they have restricted sudo on prod. However since there would only
> be one sudo file in ldap, sshd would let them logon to production server via
> prodlogs group, and sudo would find the dev group and give them full
> rights!!!!

sudo has the Host_Alias feature to restrict command aliases to
particular hosts, which I think would achieve your aims.

See the EXAMPLES section of the sudoers(5) man page.

There's a sudoers2ldif utility provided with the sudo distribution, it's
well worth developing your sudoer's file with visudo for its syntax
checking before converting to ldif with the sudoers2ldif utility.
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-10-2008, 09:03 AM
"Kashif Ali"
 
Default Sudo and Ldap

If I could get the correct info from getent group

which would show the group members, I am sure sudo would work, I am not sure what is involved in getting sudo into ldap and the configuring it. Anyone have a link to howto/wiki?



2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk>

On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote:

> Redhat sudo doesn't support ldap, recompile it with ldap support and add

> the sudoers base to /etc/ldap.conf and it should work then, annoying!



I don't know about RHEL5, but centos 5.2 does:



[root@pirez ~]# rpm -q centos-release

centos-release-5-2.el5.centos

[root@pirez ~]# rpm -q sudo

sudo-1.6.8p12-12.el5

[root@pirez ~]# ldd $(type -p sudo) | grep ldap

* * * *libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000)



And I believe it's been present for all the 5.0 series.



> Cheers

>

> Malcolm

>

> On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:

> > Hello all,

> >

> > I have successfully setup FDS on Centos 5.2, and manage to get users

> > signing on without any issues. However if I edit the sudoers file to

> > allow a group on ldap use sudo, the sudo command does not see the

> > members of the group or I think the group itself?

> >

> > I have no idea why this is:

> >

> > if I run the command 'id' as the given user you can clear see the

> > group memberships, however if I do: getent group linuxops I see:

> >

> > linuxops:*:6000:

> >

> > with no members??? however SSHD AllowGroups works? I have configured

> > sshd to only allow members of the linxops group to login and this

> > works fine? so my question is why is sudo behaving differently?

> >

> > --

> > Fedora-directory-users mailing list

> > Fedora-directory-users@redhat.com

> > https://www.redhat.com/mailman/listinfo/fedora-directory-users

>

> --

> Fedora-directory-users mailing list

> Fedora-directory-users@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-directory-users



--

Jonathan Barber

High Performance Computing Analyst

Tel. +44 (0) 1382 386389



--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 08:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org