If you want to understand how to integrate sudoer with the OpenLDAP server in Linux, this guide is all you need.
By integrating the sudoer with the OpenLDAP server, you will have a centralized user and sudo privilege management on the OpenLDAP server. This will allow faster installation on the client side.
Steps to Integrate Sudoers with OpenLDAP Server
The following prerequisites must be made in order to proceed. You should have a server adequately installed and configured with the OpenLDAP server. A properly configured client machine with OpenLDAP client, and an SSSD service.
Import sudoers schema to OpenLDAP server
The first step is to import the sudoers schema to the OpenLDAP server. For this purpose, we will use the LDIF file and the ldapadd utility.
Copy the default sudoers schema for LAP
As the first step, log in to the OpenLDAP server. Then, copy the default sudoers schema for LDAP. Type the following command on your Terminal:
$sudo cp /usr/share/doc/sudo/schema.OpenLDAP /etc/openldap/schema/sudo.schema
Create a new LDIF file
Use your favorite editor to create a new LDIF file. The following command will suffice:
$sudo nano /etc/openldap/schema/sudo.ldif
In the opened file, enter the following information:
n: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
Save the file and exit the nano editor.
Change the ownership of LDIF file
Finally, change the ownership of the LDIF file. Enter the following command on the Terminal:
$sudo chown ldap:ldap /etc/openldap/schema/sudo.ldif
Add sudoers LDAP schema to OpenLDAP server
We will add the sudoers LDAP schema to the OpenLDAP server. For this purpose, we will use the ldapadd command as follows:
$sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/sudo.ldif
Using the previous command, you will add the new cn called sudo to the OpenLDAP server. It will allow any OpenLDAP user with cn=sudo to execute the sudo command on LDAP machines. Furthermore, you should also get the following output:
In the next step, we will set up an organizational unit for sudoers.
Create an organizational unit for sudoer
We have previously added sudoers LDAP schema in the previous step. Now, we will create an organizational unit or ‘ou’ called sudo. This will allow users within this organizational unit to execute the sudo command.
Edit sudoers.ldif file
Open the sudoers.ldif file with your favorite editor as follows:
$sudo nano sudoers.ldif
Now, add the lines below to the opened file:
# sudoers.ldif
dn: ou=sudo,dc=hwdomain,dc=lan
objectClass: organizationalUnit
objectClass: top
ou: sudo
description: Default ou for SUDO
When you are done, save the file and close the editor.
Add the sudoers to the OpenLDAP server
Using the ldapadd command, we will add the sudoers to the OpenLDAP server. Type the following command on the Terminal:
$sudo ldapadd -x -D cn=Manager,dc=hwdomain,dc=lan -W -f sudoers.ldif
You will see the output similar to the following:
Verifying that ou is set to sudo
We will use the ldapsearch command to verify the value of ou with sudo on the OpenLDAP server. For this purpose, we will use the following command:
$sudo ldapsearch -x -b "dc=hwdomain,dc=lan" ou=sudo
You will see the following output:
Default sudoers configuration
Create the default sudoers configuration file and enter the following information:
# sudoconf.ldif
dn: cn=defaults,ou=sudo,dc=hwdomain,dc=lan
objectClass: sudoRole
objectClass: top
cn: defaults
sudoOption: env_reset
sudoOption: mail_badpass
sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
#sudoOrder: 1
Add the default sudoers configuration to the OpenLDAP server as follows:
$sudo ldapadd -x -D cn=Manager,dc=hwdomain,dc=lan -W -f sudoconf.ldif
Adding OpenLDAP users to sudo
In this portion, we will add OpenLDAP to ou=sudo.
Creating and editing adduser_sudo.ldif file
Using your favorite editor, create adduser_sudo.ldif
and enter the following information:
# adduser_sudo.ldif
dn: cn=rocky,ou=sudo,dc=hwdomain,dc=lan
objectClass: sudoRole
objectClass: top
cn: rocky
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: rocky
Close the editor. To create the new user with default ou=sudo, you can use the following file:
# adduser.ldif
dn: uid=rocky,ou=People,dc=hwdomain,dc=lan
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: rocky
sn: temp
userPassword: {SSHA}cDG5NuQd+rYn6rWh1r5UnysUOwJlt1uk
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/rocky
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
dn: cn=rocky,ou=Group,dc=hwdomain,dc=lan
objectClass: posixGroup
cn: rocky
gidNumber: 2000
memberUid: rocky
dn: cn=rocky,ou=sudo,dc=hwdomain,dc=lan
objectClass: sudoRole
objectClass: top
cn: rocky
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: rocky
Applying changes
Apply changes to the LDAPServer via running the following command:
$sudo ldapadd -x -D cn=Manager,dc=hwdomain,dc=lan -W -f adduser_sudo.ldif
Now, perform the verification as follows:
$sudo ldapsearch -x -b "ou=sudo,dc=hwdomain,dc=lan"
Summing up the discussion, we have added a user rocky to organization unit ou=sudo. We have allowed the user to execute the sudo command on client machines.
Setting up the client
Follow the steps below to set nssswitch.conf
and ssd configurations on the client machine.
Editing nssswitch.conf file
Open the nsswitch.conf
and enter the following information:
sudoers: files sss
Save the file and close the editor.
Editing sssd.conf file
Now, change the '/etc/sssd/sssd.conf' file as follows:
[domain/default]
....
sudoers_base ou=sudo,dc=hwdomain,dc=lan
sudo_provider = ldap
[sssd]
services = nss, pam, autofs, sudo
domains = default
[nss]
homedir_substring = /home
[sudo]
Save the file and close the editor.
Restart SSSD service
Finally, restart the SSSD service as follows:
$sudo systemctl restart ssd
Verify the integration
Using the following command, login to the OpenLDAP server:
$ssh [email protected]
You will be asked for the password. You should see a success message. Using the following command, verify the current user, gid, and uid:
id
whoami
To verify the sudoer integration, use the command below:
sudo su
Run the following command. You should see that the current user is root:
id
whoami
In this article, we tackled how to integrate sudoers with the OpenLDAP server. This will allow OpenLDAP users to execute the sudo command on the client machine. You can also add more users to run the sudo command on the client machine. For more details, you can consult the official OpenLDAP document.
If this guide helped you, please share it.