Hi.
*
*
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining*sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
*
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
*
*
Best regards,
Kenneth Holter
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
12-29-2009, 02:33 PM
Anne Cross
/etc/sudoers VS sudo-objects in directory server
We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.
-- juniper
----- Original Message -----
From: "Kenneth Holter" <kenneho.ndu@gmail.com>
To: fedora-directory-users@redhat.com
Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern
Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
Best regards,
Kenneth Holter
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
12-30-2009, 08:38 PM
/etc/sudoers VS sudo-objects in directory server
On Tue, 29 Dec 2009, Kenneth Holter wrote:
> We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
>
> I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
I know I'm stating the obvious here, and feel the need to mention that
there's absolutely nothing directly RHDS or 389-related about your
question, but you did ask...
As with anything LDAP-related, you need to decide whether you want
centralization or the status quo. It seems you already know the benefits
to using LDAP (make changes in one place, replicate it everywhere) and
the drawbacks (it's not a simple matter of editing a sudoers file), as
well as the benefits of not using LDAP (flat, easy-to-read text files
and no learning curve or additional tools involved).
Personally, given more than one machine to administer, I'd go LDAP every
time, but I've been bit too many times by inconsistencies, and I'm
familiar enough with doing it the LDAP way that it's no big deal to me.
I like being able to make one change in one place and know that it's
instantly taking effect on every box I want it to, without question,
every time. To me, consistency is a *huge* part of good security, and
that's easier to accomplish when you're changing one thing on one place,
rather than (in my case) changing one thing a few thousand places.
That's just my situation, though, and I'm sure yours is different. Given
that you already seem to know the pros and cons, it's really just a
matter of deciding what's important to you, and then making the
appropriate decision.
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
12-30-2009, 10:48 PM
Doug Chapman
/etc/sudoers VS sudo-objects in directory server
Not to digress too much off topic here, but I'm not sure about your comment on using groups- we've organized privileges into entry's like this:
cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com
sudoHost: sasapp*.prod.foo.com
objectClass: sudoRoleobjectClass: topsudoCommand: /bin/su sassudoCommand: /bin/su - sassudoUser: %reportingsudoUser: %datawarehousecn: reporting_admin_on_sas
Note that you can have N number of sudoCommand|sudoUser entry's, so you can organize this CN around what the people in these groups need todo on this box.
One of my co-workers wrote a script that exports the sudo entries in the directory to /etc/sudoers to handle the case of legacy machines that are too old or broken to have native sudo ldap lookups (of course they still need to be able to lookup uid's/gid's in the directory for this to work).
On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross <across@itasoftware.com> wrote:
We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. *I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.
-- juniper
----- Original Message -----
From: "Kenneth Holter" <kenneho.ndu@gmail.com>
To: fedora-directory-users@redhat.com
Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern
Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
12-30-2009, 11:30 PM
/etc/sudoers VS sudo-objects in directory server
On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross <across itasoftware com>
wrote:
We're going to go with sudoers in ldap, not because I think it's
better, but because it's somewhat more secure. I think the layout
of how it's managed in ldap is much inferior (having to declare each
group multiple times, and not being able to apply privileges to a
*group*, is stupid) but it is at least someplace where I know the
clever people can't get easy access to it, and if the sudoers file
gets modified, I can have tripwire scream.
-- juniper
It's most definitely *not* the case that you cannot use groups in LDAP
sudoers objects. I'm also not sure why you'd need to declare groups
multiple times, or what "groups" means in this context, but it sounds
like you may just be doing things the hard way.
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
12-31-2009, 03:31 PM
Anne Cross
/etc/sudoers VS sudo-objects in directory server
As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
-- juniper
----- Original Message -----
From: "Doug Chapman" <prjctgeek@gmail.com>
To: "General discussion list for the 389 Directory server project." <fedora-directory-users@redhat.com>
Sent: Wednesday, December 30, 2009 6:48:16 PM GMT -05:00 US/Canada Eastern
Subject: Re: [389-users] /etc/sudoers VS sudo-objects in directory server
Not to digress too much off topic here, but I'm not sure about your comment on using groups- we've organized privileges into entry's like this:
cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com
sudoHost: sasapp*. prod.foo.com
objectClass: sudoRole
objectClass: top
sudoCommand: /bin/su sas
sudoCommand: /bin/su - sas
sudoUser: %reporting
sudoUser: %datawarehouse
cn: reporting_admin_on_sas
Note that you can have N number of sudoCommand|sudoUser entry's, so you can organize this CN around what the people in these groups need todo on this box.
One of my co-workers wrote a script that exports the sudo entries in the directory to /etc/sudoers to handle the case of legacy machines that are too old or broken to have native sudo ldap lookups (of course they still need to be able to lookup uid's/gid's in the directory for this to work).
On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross < across@itasoftware.com > wrote:
We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.
-- juniper
----- Original Message -----
From: "Kenneth Holter" < kenneho.ndu@gmail.com >
To: fedora-directory-users@redhat.com
Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern
Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
Best regards,
Kenneth Holter
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-04-2010, 11:55 AM
Kenneth Holter
/etc/sudoers VS sudo-objects in directory server
Thanks for all the replies.
*
We're running Puppet to manage files on our linux servers, so assuming*that Puppet consistently distributes /etc/sudoers (we'll maintain only one copy of this file) to our linux servers, we in*a way will have a centralized setup of sudoers, much like using an LDAP. So to me, the main difference between the two approaches, as far as I can tell, is simply wether we store sudo information in /etc/sudoers format or in LDAP/LDIF format. And I must admit that /etc/sudoers seems like the best choice.
From the responsens I've got this far I can't see any major issues with the /etc/sudoers approach, as long as we can ensure that Puppet will do its job.
*
*
Regards,
Kenneth
*
On Wed, Dec 30, 2009 at 10:38 PM, <patrick.morris@hp.com> wrote:
On Tue, 29 Dec 2009, Kenneth Holter wrote:
> We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
>
> I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
I know I'm stating the obvious here, and feel the need to mention that
there's absolutely nothing directly RHDS or 389-related about your
question, but you did ask...
As with anything LDAP-related, you need to decide whether you want
centralization or the status quo. It seems you already know the benefits
to using LDAP (make changes in one place, replicate it everywhere) and
the drawbacks (it's not a simple matter of editing a sudoers file), as
well as the benefits of not using LDAP (flat, easy-to-read text files
and no learning curve or additional tools involved).
Personally, given more than one machine to administer, I'd go LDAP every
time, but I've been bit too many times by inconsistencies, and I'm
familiar enough with doing it the LDAP way that it's no big deal to me.
I like being able to make one change in one place and know that it's
instantly taking effect on every box I want it to, without question,
every time. To me, consistency is a *huge* part of good security, and
that's easier to accomplish when you're changing one thing on one place,
rather than (in my case) changing one thing a few thousand places.
That's just my situation, though, and I'm sure yours is different. Given
that you already seem to know the pros and cons, it's really just a
matter of deciding what's important to you, and then making the
appropriate decision.
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-04-2010, 06:03 PM
/etc/sudoers VS sudo-objects in directory server
Hi Anne!
On Thu, 31 Dec 2009, Anne Cross wrote:
> As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
>
> -- juniper
You understood incorrectly. You can use LDAP groups.
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-04-2010, 07:10 PM
Anne Cross
/etc/sudoers VS sudo-objects in directory server
>
> Hi Anne!
>
> On Thu, 31 Dec 2009, Anne Cross wrote:
>
>> As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
>>
>
> You understood incorrectly. You can use LDAP groups.
Oh wow. You just made my day. Could I ask for an example of how you're defining it inside of a sudoers object? I'd *really* appreciate it. The last time I went digging through the documentation, I couldn't find any examples, and now "assume" is making an idiot out of me.
-- juniper
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-08-2010, 04:04 PM
"Morris, Patrick"
/etc/sudoers VS sudo-objects in directory server
Anne Cross wrote:
Hi Anne!
On Thu, 31 Dec 2009, Anne Cross wrote:
As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
You understood incorrectly. You can use LDAP groups.
Oh wow. You just made my day. Could I ask for an example of how you're defining it inside of a sudoers object? I'd *really* appreciate it. The last time I went digging through the documentation, I couldn't find any examples, and now "assume" is making an idiot out of me.
You don't need to do anything special. Assuming your system is
configured to look in LDAP for groups, you just specify them be
preceding them with an @, just like local groups.
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
/etc/sudoers VS sudo-objects in directory server
