How to Integrate Sudoers with OpenLDAP Server in Linux

How to Integrate Sudoers with OpenLDAP Server in Linux

If you want to understand how to integrate sudoer with the OpenLDAP server in Linux, this guide is all you need.

By integrating the sudoer with the OpenLDAP server, you will have a centralized user and sudo privilege management on the OpenLDAP server. This will allow faster installation on the client side. 

Steps to Integrate Sudoers with OpenLDAP Server

The following prerequisites must be made in order to proceed. You should have a server adequately installed and configured with the OpenLDAP server. A properly configured client machine with OpenLDAP client, and an SSSD service. 

Import sudoers schema to OpenLDAP server

The first step is to import the sudoers schema to the OpenLDAP server. For this purpose, we will use the LDIF file and the ldapadd utility. 

Copy the default sudoers schema for LAP

As the first step, log in to the OpenLDAP server. Then, copy the default sudoers schema for LDAP. Type the following command on your Terminal:

$sudo cp /usr/share/doc/sudo/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

Create a new LDIF file

Use your favorite editor to create a new LDIF file. The following command will suffice:

$sudo nano /etc/openldap/schema/sudo.ldif

In the opened file, enter the following information:

n: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )

Save the file and exit the nano editor.

Change the ownership of LDIF file

Finally, change the ownership of the LDIF file. Enter the following command on the Terminal:

$sudo chown ldap:ldap /etc/openldap/schema/sudo.ldif

Add sudoers LDAP schema to OpenLDAP server

We will add the sudoers LDAP schema to the OpenLDAP server. For this purpose, we will use the ldapadd command as follows:

$sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/sudo.ldif


Using the previous command, you will add the new cn called sudo to the OpenLDAP server. It will allow any OpenLDAP user with cn=sudo to execute the sudo command on LDAP machines. Furthermore, you should also get the following output:

execute the sudo command on LDAP

In the next step, we will set up an organizational unit for sudoers.

Create an organizational unit for sudoer

We have previously added sudoers LDAP schema in the previous step. Now, we will create an organizational unit or ‘ou’ called sudo. This will allow users within this organizational unit to execute the sudo command. 

Edit sudoers.ldif file

Open the sudoers.ldif file with your favorite editor as follows:

$sudo nano sudoers.ldif


Now, add the lines below to the opened file:

# sudoers.ldif
dn: ou=sudo,dc=hwdomain,dc=lan
objectClass: organizationalUnit
objectClass: top
ou: sudo
description: Default ou for SUDO

When you are done, save the file and close the editor. 

Add the sudoers to the OpenLDAP server

Using the ldapadd command, we will add the sudoers to the OpenLDAP server. Type the following command on the Terminal:

$sudo ldapadd -x -D cn=Manager,dc=hwdomain,dc=lan -W -f sudoers.ldif


You will see the output similar to the following:

ldapadd command


Verifying that ou is set to sudo

We will use the ldapsearch command to verify the value of ou with sudo on the OpenLDAP server. For this purpose, we will use the following command:

$sudo ldapsearch -x -b "dc=hwdomain,dc=lan" ou=sudo


You will see the following output:

 ldapsearch command

Default sudoers configuration

Create the default sudoers configuration file and enter the following information:

# sudoconf.ldif
dn: cn=defaults,ou=sudo,dc=hwdomain,dc=lan
objectClass: sudoRole
objectClass: top
cn: defaults
sudoOption: env_reset
sudoOption: mail_badpass
sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
#sudoOrder: 1

Add the default sudoers configuration to the OpenLDAP server as follows:

$sudo ldapadd -x -D cn=Manager,dc=hwdomain,dc=lan -W -f sudoconf.ldif

Adding OpenLDAP users to sudo

In this portion, we will add OpenLDAP to ou=sudo.

Creating and editing adduser_sudo.ldif file

Using your favorite editor, create adduser_sudo.ldif and enter the following information:

# adduser_sudo.ldif
dn: cn=rocky,ou=sudo,dc=hwdomain,dc=lan
objectClass: sudoRole
objectClass: top
cn: rocky
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: rocky

Close the editor. To create the new user with default ou=sudo, you can use the following file:

# adduser.ldif
dn: uid=rocky,ou=People,dc=hwdomain,dc=lan
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: rocky
sn: temp
userPassword: {SSHA}cDG5NuQd+rYn6rWh1r5UnysUOwJlt1uk
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/rocky
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
dn: cn=rocky,ou=Group,dc=hwdomain,dc=lan
objectClass: posixGroup
cn: rocky
gidNumber: 2000
memberUid: rocky
dn: cn=rocky,ou=sudo,dc=hwdomain,dc=lan
objectClass: sudoRole
objectClass: top
cn: rocky
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: rocky

Applying changes

Apply changes to the LDAPServer via running the following command:

$sudo ldapadd -x -D cn=Manager,dc=hwdomain,dc=lan -W -f adduser_sudo.ldif


Now, perform the verification as follows:

$sudo ldapsearch -x -b "ou=sudo,dc=hwdomain,dc=lan"

Summing up the discussion, we have added a user rocky to organization unit ou=sudo. We have allowed the user to execute the sudo command on client machines.

Setting up the client

Follow the steps below to set nssswitch.conf and ssd configurations on the client machine.

Editing nssswitch.conf file

Open the nsswitch.conf and enter the following information:

sudoers: files sss


Save the file and close the editor.

Editing sssd.conf file

Now, change the '/etc/sssd/sssd.conf' file as follows:
[domain/default]
....
sudoers_base ou=sudo,dc=hwdomain,dc=lan
sudo_provider = ldap
[sssd]
services = nss, pam, autofs, sudo
domains = default
[nss]
homedir_substring = /home
[sudo]

Save the file and close the editor.

Restart SSSD service

Finally, restart the SSSD service as follows:

$sudo systemctl restart ssd


Verify the integration

Using the following command, login to the OpenLDAP server:

$ssh [email protected]


You will be asked for the password. You should see a success message. Using the following command, verify the current user, gid, and uid:

id
whoami


To verify the sudoer integration, use the command below:

sudo su


Run the following command. You should see that the current user is root:

id
whoami

In this article, we tackled how to integrate sudoers with the OpenLDAP server. This will allow OpenLDAP users to execute the sudo command on the client machine. You can also add more users to run the sudo command on the client machine. For more details, you can consult the official OpenLDAP document.

If this guide helped you, please share it. 

Related Posts