Using the same system set up according to Dave Koelmeyer’s instructions and my notes, I got sudo to work based on entries in OpenDJ. The first way is quick and dirty, the second longer bug cleaner.
Quick and Dirty
One quick and dirty way I found on Ubuntu to allow users with posixAccount objectclasses for their entries was to change a user’s gidNumber value to 27 (the sudo group in my Ubuntu 10.10 VM) or 119 (the admin group also allowed by default to sudo):
User mark is in group 119 admin, and can sudo. User bjensen is in group 1000, and so cannot sudo.
mark@ldapclient:~$ id uid=1000(mark) gid=1000(mark) groups=1000(mark),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare) mark@ldapclient:~$ sudo head /etc/sudoers # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification mark@ldapclient:~$ su - bjensen Password: bjensen@ldapclient:~$ id uid=1076(bjensen) gid=1000(mark) groups=1000(mark) bjensen@ldapclient:~$ sudo head /etc/sudoers [sudo] password for bjensen: bjensen is not in the sudoers file. This incident will be reported.
Go into the OpenDJ Control Panel, then click Manage Entries. Then search for user bjensen, change Babs’s gid to 27, and save your work. Returning to the LDAP client system command line, you see that Babs is now in the sudoers group.
bjensen@ldapclient:~$ id uid=1076(bjensen) gid=1000(mark) groups=27(sudo),1000(mark) bjensen@ldapclient:~$ sudo head /etc/sudoers [sudo] password for bjensen: # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification bjensen@ldapclient:~$
Trouble is, gidNumber is SINGLE-VALUE according to the schema. Maybe we do not want Babs only in the sudoers group.
So set bjensen’s gid back to 1000 through the OpenDJ Control Panel > Manage Entries.
Long and Cleaner
Step 1.
Install the sudo-ldap package.
The default sudo package has no ldap support.
On Ubuntu, you may have to set a root password before the package manager lets you remove sudo to install sudo-ldap.
mark@ldapclient:~$ sudo apt-get install sudo-ldap [sudo] password for mark: Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: linux-headers-2.6.35-22 linux-headers-2.6.35-22-generic Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: sudo The following NEW packages will be installed: sudo-ldap 0 upgraded, 1 newly installed, 1 to remove and 4 not upgraded. Need to get 0B/336kB of archives. After this operation, 41.0kB of additional disk space will be used. Do you want to continue [Y/n]? dpkg: sudo: dependency problems, but removing anyway as you requested: ubuntu-minimal depends on sudo. gksu depends on sudo. (Reading database ... 170472 files and directories currently installed.) Removing sudo ... You have asked that the sudo package be removed, but no root password has been set. Without sudo, you may not be able to gain administrative privileges. If you would prefer to access the root account with su(1) or by logging in directly, you must set a root password with "sudo passwd". If you have arranged other means to access the root account, and you are sure this is what you want, you may bypass this check by setting an environment variable (export SUDO_FORCE_REMOVE=yes). Refusing to remove sudo. dpkg: error processing sudo (--remove): subprocess installed pre-removal script returned error exit status 1 Errors were encountered while processing: sudo E: Sub-process /usr/bin/dpkg returned an error code (1)
This seems to be a known Ubuntu bug, https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/140467. The following workaround seems to have done the trick.
mark@ldapclient:~$ mkpasswd password GjIcQ0DGpk0bI mark@ldapclient:~$ sudo usermod -p GjIcQ0DGpk0bI root mark@ldapclient:~$ sudo apt-get install sudo-ldap Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: linux-headers-2.6.35-22 linux-headers-2.6.35-22-generic Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: sudo The following NEW packages will be installed: sudo-ldap 0 upgraded, 1 newly installed, 1 to remove and 4 not upgraded. Need to get 0B/336kB of archives. After this operation, 41.0kB of additional disk space will be used. Do you want to continue [Y/n]? dpkg: sudo: dependency problems, but removing anyway as you requested: ubuntu-minimal depends on sudo. gksu depends on sudo. (Reading database ... 170472 files and directories currently installed.) Removing sudo ... Processing triggers for ureadahead ... ureadahead will be reprofiled on next reboot Processing triggers for man-db ... Selecting previously deselected package sudo-ldap. (Reading database ... 170447 files and directories currently installed.) Unpacking sudo-ldap (from .../sudo-ldap_1.7.2p7-1ubuntu2.1_i386.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up sudo-ldap (1.7.2p7-1ubuntu2.1) ... Installing new version of config file /etc/init.d/sudo ...
Step 2.
On the LDAP client system, make the configuration changes as described in the sudo-ldap doc.
You need to be a sudoer based on the rules in /etc/sudoers to edit these files on the LDAP client system.
In /etc/ldap.conf, add a line to specify the sudoers base DN.
sudoers_base ou=Special Users,dc=example,dc=com
In /etc/nsswitch.conf, add a line regarding sudoers.
sudoers: ldap files
Edit /etc/sudo-ldap.conf to match the appropriate settings from /etc/ldap.conf.
BASE dc=example,dc=com SUDOERS_BASE ou=Special\ Users,dc=example,dc=com URI ldap://10.0.2.2:1389
Step 3.
Copy the sudo schema, schema.iPlanet, to /path/to/OpenDJ/config/schema/99-sudo.ldif on the OpenDJ host.
mark@ldapclient:~$ scp /usr/share/doc/sudo-ldap/schema.iPlanet mark@opendj-host:/path/to/OpenDJ/config/schema/99-sudo.ldif
Step 4.
Get the entries to add to OpenDJ.
This example puts the sudoers under ou=Special Users,dc=example,dc=com.
mark@ldapclient:~$ export SUDOERS_BASE=ou=Special\ Users,dc=example,dc=com mark@ldapclient:~$ sudo cat /etc/sudoers | perl /usr/share/doc/sudo-ldap/sudoers2ldif [sudo] password for mark: dn: cn=defaults,ou=Special Users,dc=example,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: env_reset dn: cn=root,ou=Special Users,dc=example,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL dn: cn=%sudo,ou=Special Users,dc=example,dc=com objectClass: top objectClass: sudoRole cn: %sudo sudoUser: %sudo sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL dn: cn=%admin,ou=Special Users,dc=example,dc=com objectClass: top objectClass: sudoRole cn: %admin sudoUser: %admin sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
Step 5.
Put the LDIF from the previous step in a file that you can access from the host running OpenDJ, such as /path/to/sudoers.ldif.
Step 6.
Use the ldapmodify -a command to add the sudoers.
mark@opendj-host:/path/to$ ./OpenDJ/bin/ldapmodify -a -p 1389 -D "cn=Directory Manager" -w ecureuil -f sudoers.ldif Processing ADD request for cn=defaults,ou=Special Users,dc=example,dc=com ADD operation successful for DN cn=defaults,ou=Special Users,dc=example,dc=com Processing ADD request for cn=root,ou=Special Users,dc=example,dc=com ADD operation successful for DN cn=root,ou=Special Users,dc=example,dc=com Processing ADD request for cn=%sudo,ou=Special Users,dc=example,dc=com ADD operation successful for DN cn=%sudo,ou=Special Users,dc=example,dc=com Processing ADD request for cn=%admin,ou=Special Users,dc=example,dc=com ADD operation successful for DN cn=%admin,ou=Special Users,dc=example,dc=com
Step 7.
Using OpenDJ Control Panel > Manage Indexes, index sudoUser for equality searches.
Step 8.
Create a new entry under the sudoers base from LDIF.
dn: cn=bjensen,ou=Special Users,dc=example,dc=com objectClass: top objectClass: sudoRole cn: bjensen sudoUser: bjensen sudoHost: ALL sudoCommand: ALL
Step 9.
Verify that sudo works for your new sudoer.
mark@ldapclient:~$ su - bjensen Password: bjensen@ldapclient:~$ sudo head /etc/sudoers [sudo] password for bjensen: # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification
Voilà.
Pingback: Sudoers in LDAP with OpenDJ directory services « Ludo's Sketches
Pingback: Sudoers in LDAP with OpenDJ directory services – Ludo Sketches