On Tue, Sep 09, 2008 at 10:42:06PM +0100, Kashif Ali wrote: > i believe in centos 5.x and redhat they have ldap suppor built in: > > http://kbase.redhat.com/faq/FAQ_80_12975.shtm > > I am not sure how to include ldif file in the directory server, and also > once its included how to manage the sudoers? > > let me give you some more background on the environmnt: > > we have the following environments: > > Production > Staging > Test > Load Testing > Development > > Each of the environments have various number of servers ranging from 30 and > goign upto 150+. > > we have three main categories of users > > Linuxops = Linux Sys admins > SuperUsers = Developers who have sudo rights (ALL) on dev/load test > environments, but only for less, cat, more, command for > Test/Staging/Production environments (this is mainly for log and config file > viewing). > Dev = Developers who have full sudo rights on development and only access > development environment > > > I am restricting access to each environemnt via SSHD_CONFIG variable allow > groups. I have the following groups > > linuxops > prodlogs > staginglog > testlogs > ltlogs > dev > > What I would need is to someone configure ldap with sudo, so that if you > were in the correct groups you can login to which ever environment and have > the correct privilages. > > The problem I Will have is with superusers. They would be members of the dev > group (so have all rights on dev env) but then I would be added to prodlogs > etc... so they have restricted sudo on prod. However since there would only > be one sudo file in ldap, sshd would let them logon to production server via > prodlogs group, and sudo would find the dev group and give them full > rights!!!! sudo has the Host_Alias feature to restrict command aliases to particular hosts, which I think would achieve your aims. See the EXAMPLES section of the sudoers(5) man page. There's a sudoers2ldif utility provided with the sudo distribution, it's well worth developing your sudoer's file with visudo for its syntax checking before converting to ldif with the sudoers2ldif utility. -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
