Sudo and Ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Sep 09, 2008 at 10:42:06PM +0100, Kashif Ali wrote:
> i believe in centos 5.x and redhat they have ldap suppor built in:
> 
> http://kbase.redhat.com/faq/FAQ_80_12975.shtm
> 
> I am not sure how to include ldif file in the directory server, and also
> once its included how to manage the sudoers?
> 
> let me give you some more background on the environmnt:
> 
> we have the following environments:
> 
> Production
> Staging
> Test
> Load Testing
> Development
> 
> Each of the environments have various number of servers ranging from 30 and
> goign upto 150+.
> 
> we have three main categories of users
> 
> Linuxops = Linux Sys admins
> SuperUsers = Developers who have sudo rights (ALL) on dev/load test
> environments, but only for less, cat, more, command for
> Test/Staging/Production environments (this is mainly for log and config file
> viewing).
> Dev = Developers who have full sudo rights on development and only access
> development environment
> 
> 
> I am restricting access to each environemnt via SSHD_CONFIG variable allow
> groups. I have the following groups
> 
> linuxops
> prodlogs
> staginglog
> testlogs
> ltlogs
> dev
> 
> What I would need is to someone configure ldap with sudo, so that if you
> were in the correct groups you can login to which ever environment and have
> the correct privilages.
> 
> The problem I Will have is with superusers. They would be members of the dev
> group (so have all rights on dev env) but then I would be added to prodlogs
> etc... so they have restricted sudo on prod. However since there would only
> be one sudo file in ldap, sshd would let them logon to production server via
> prodlogs group, and sudo would find the dev group and give them full
> rights!!!!

sudo has the Host_Alias feature to restrict command aliases to
particular hosts, which I think would achieve your aims. 

See the EXAMPLES section of the sudoers(5) man page.

There's a sudoers2ldif utility provided with the sudo distribution, it's
well worth developing your sudoer's file with visudo for its syntax
checking before converting to ldif with the sudoers2ldif utility.
-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux