Sudo with OpenDJ

Sudo on Ubuntu
Source: http://en.wikipedia.org/wiki/File:Sudo_on_Ubuntu.png, see license at http://www.sudo.ws/sudo/license.html

Using the same system set up according to Dave Koelmeyer’s instructions and my notes, I got sudo to work based on entries in OpenDJ. The first way is quick and dirty, the second longer bug cleaner.

Quick and Dirty

One quick and dirty way I found on Ubuntu to allow users with posixAccount objectclasses for their entries was to change a user’s gidNumber value to 27 (the sudo group in my Ubuntu 10.10 VM) or 119 (the admin group also allowed by default to sudo):

User mark is in group 119 admin, and can sudo. User bjensen is in group 1000, and so cannot sudo.

mark@ldapclient:~$ id
uid=1000(mark) gid=1000(mark) groups=1000(mark),4(adm),20(dialout),24(cdrom),46(plugdev),111(lpadmin),119(admin),122(sambashare)
mark@ldapclient:~$ sudo head /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification
mark@ldapclient:~$ su - bjensen
Password:
bjensen@ldapclient:~$ id
uid=1076(bjensen) gid=1000(mark) groups=1000(mark)
bjensen@ldapclient:~$ sudo head /etc/sudoers
[sudo] password for bjensen:
bjensen is not in the sudoers file.  This incident will be reported.

Go into the OpenDJ Control Panel, then click Manage Entries. Then search for user bjensen, change Babs’s gid to 27, and save your work. Returning to the LDAP client system command line, you see that Babs is now in the sudoers group.

bjensen@ldapclient:~$ id
uid=1076(bjensen) gid=1000(mark) groups=27(sudo),1000(mark)
bjensen@ldapclient:~$ sudo head /etc/sudoers
[sudo] password for bjensen:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification
bjensen@ldapclient:~$

Trouble is, gidNumber is SINGLE-VALUE according to the schema. Maybe we do not want Babs only in the sudoers group.

So set bjensen’s gid back to 1000 through the OpenDJ Control Panel > Manage Entries.

Long and Cleaner

Step 1.

Install the sudo-ldap package.

The default sudo package has no ldap support.

On Ubuntu, you may have to set a root password before the package manager lets you remove sudo to install sudo-ldap.

mark@ldapclient:~$ sudo apt-get install sudo-ldap
[sudo] password for mark:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-2.6.35-22 linux-headers-2.6.35-22-generic
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  sudo
The following NEW packages will be installed:
  sudo-ldap
0 upgraded, 1 newly installed, 1 to remove and 4 not upgraded.
Need to get 0B/336kB of archives.
After this operation, 41.0kB of additional disk space will be used.
Do you want to continue [Y/n]?
dpkg: sudo: dependency problems, but removing anyway as you requested:
 ubuntu-minimal depends on sudo.
 gksu depends on sudo.
(Reading database ... 170472 files and directories currently installed.)
Removing sudo ...
You have asked that the sudo package be removed,
but no root password has been set.
Without sudo, you may not be able to gain administrative privileges.

If you would prefer to access the root account with su(1)
or by logging in directly,
you must set a root password with "sudo passwd".

If you have arranged other means to access the root account,
and you are sure this is what you want,
you may bypass this check by setting an environment variable
(export SUDO_FORCE_REMOVE=yes).

Refusing to remove sudo.
dpkg: error processing sudo (--remove):
 subprocess installed pre-removal script returned error exit status 1
Errors were encountered while processing:
 sudo
E: Sub-process /usr/bin/dpkg returned an error code (1)

This seems to be a known Ubuntu bug, https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/140467. The following workaround seems to have done the trick.

mark@ldapclient:~$ mkpasswd password
GjIcQ0DGpk0bI
mark@ldapclient:~$ sudo usermod -p GjIcQ0DGpk0bI root
mark@ldapclient:~$ sudo apt-get install sudo-ldap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-2.6.35-22 linux-headers-2.6.35-22-generic
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  sudo
The following NEW packages will be installed:
  sudo-ldap
0 upgraded, 1 newly installed, 1 to remove and 4 not upgraded.
Need to get 0B/336kB of archives.
After this operation, 41.0kB of additional disk space will be used.
Do you want to continue [Y/n]?
dpkg: sudo: dependency problems, but removing anyway as you requested:
 ubuntu-minimal depends on sudo.
 gksu depends on sudo.
(Reading database ... 170472 files and directories currently installed.)
Removing sudo ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Processing triggers for man-db ...
Selecting previously deselected package sudo-ldap.
(Reading database ... 170447 files and directories currently installed.)
Unpacking sudo-ldap (from .../sudo-ldap_1.7.2p7-1ubuntu2.1_i386.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up sudo-ldap (1.7.2p7-1ubuntu2.1) ...
Installing new version of config file /etc/init.d/sudo ...

Step 2.

On the LDAP client system, make the configuration changes as described in the sudo-ldap doc.

You need to be a sudoer based on the rules in /etc/sudoers to edit these files on the LDAP client system.

In /etc/ldap.conf, add a line to specify the sudoers base DN.

sudoers_base ou=Special Users,dc=example,dc=com

In /etc/nsswitch.conf, add a line regarding sudoers.

sudoers:	ldap files

Edit /etc/sudo-ldap.conf to match the appropriate settings from /etc/ldap.conf.

BASE	dc=example,dc=com
SUDOERS_BASE	ou=Special\ Users,dc=example,dc=com
URI	ldap://10.0.2.2:1389

Step 3.

Copy the sudo schema, schema.iPlanet, to /path/to/OpenDJ/config/schema/99-sudo.ldif on the OpenDJ host.

mark@ldapclient:~$ scp /usr/share/doc/sudo-ldap/schema.iPlanet mark@opendj-host:/path/to/OpenDJ/config/schema/99-sudo.ldif

Step 4.

Get the entries to add to OpenDJ.

This example puts the sudoers under ou=Special Users,dc=example,dc=com.

mark@ldapclient:~$ export SUDOERS_BASE=ou=Special\ Users,dc=example,dc=com
mark@ldapclient:~$ sudo cat /etc/sudoers | perl /usr/share/doc/sudo-ldap/sudoers2ldif
[sudo] password for mark:
dn: cn=defaults,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_reset

dn: cn=root,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

dn: cn=%sudo,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

dn: cn=%admin,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

Step 5.

Put the LDIF from the previous step in a file that you can access from the host running OpenDJ, such as /path/to/sudoers.ldif.

Step 6.

Use the ldapmodify -a command to add the sudoers.

mark@opendj-host:/path/to$ ./OpenDJ/bin/ldapmodify -a -p 1389 -D "cn=Directory Manager" -w ecureuil -f sudoers.ldif
Processing ADD request for cn=defaults,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=defaults,ou=Special Users,dc=example,dc=com
Processing ADD request for cn=root,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=root,ou=Special Users,dc=example,dc=com
Processing ADD request for cn=%sudo,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=%sudo,ou=Special Users,dc=example,dc=com
Processing ADD request for cn=%admin,ou=Special Users,dc=example,dc=com
ADD operation successful for DN cn=%admin,ou=Special Users,dc=example,dc=com

Step 7.

Using OpenDJ Control Panel > Manage Indexes, index sudoUser for equality searches.

Step 8.

Create a new entry under the sudoers base from LDIF.

dn: cn=bjensen,ou=Special Users,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: bjensen
sudoUser: bjensen
sudoHost: ALL
sudoCommand: ALL

Step 9.

Verify that sudo works for your new sudoer.

mark@ldapclient:~$ su - bjensen
Password:
bjensen@ldapclient:~$ sudo head /etc/sudoers
[sudo] password for bjensen:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification

Voilà.

Advertisements

One thought on “Sudo with OpenDJ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s