http://pig.made-it.com/ldap-sudoers.html
https://www.lisenet.com/2015/convert-openldap-schema-to-ldif/
http://qiita.com/T_Tsan/items/5ea2563450ed2d2ee20f
http://edo.blog.jp/archives/1538669.html
服务端
yum -y install sudo
sudo-ldap方案
cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema
生成sudo.ldif
echo 'include /etc/openldap/schema/sudo.schema' > /tmp/sudo.conf
mkdir /tmp/sudo
slaptest -f /tmp/sudo.conf -F /tmp/sudo
# vim /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif
替换
dn: cn={0}sudo
objectClass: olcSchemaConfig
cn: {0}sudo
为
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
删除
structuralObjectClass: olcSchemaConfig
entryUUID: bd975dc0-1654-1036-9c97-c37d6a498779
creatorsName: cn=config
createTimestamp: 20160924034303Z
entryCSN: 20160924034303.121340Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160924034303Z
cp /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif /etc/openldap/schema/sudo.ldif
sudo功能生效
vim /etc/openldap/slapd.conf
添加
include /etc/openldap/schema/sudo.schema
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd
sudoer权限
sudoer.ldif
dn: ou=sudoer,dc=suntv,dc=tv
ou: sudoer
objectClass: top
objectClass: organizationalUnit
dn: cn=default,ou=sudoer,dc=suntv,dc=tv
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOption: logfile = /var/log/sudo
sudoOption: %g01, %g02 !requiretty
dn: cn=%g01,ou=sudoer,dc=suntv,dc=tv
objectClass: sudoRole
cn: %g01
sudoUser: %g01
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoCommand: ALL
sudoCommand: !/bin/su*
sudoCommand: !/usr/bin/vim /etc/sudoers*
sudoCommand: !/bin/vi /etc/sudoers*
sudoCommand: !/usr/sbin/visudo
sudoCommand: !/usr/sbin/adduser*
sudoCommand: !/usr/sbin/useradd*
sudoCommand: !/usr/sbin/userdel*
sudoCommand: !/usr/sbin/groupadd*
sudoCommand: !/usr/sbin/groupdel*
sudoCommand: !/bin/sh
sudoCommand: !/bin/bash
sudoCommand: !/usr/bin/login
# g01组用户禁用su,禁用变更sudo权限,禁用用户组的操作
dn: cn=%g02,ou=sudoer,dc=suntv,dc=tv
objectClass: sudoRole
cn: %g02
sudoUser: %g02
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoCommand: ALL
sudoCommand: !/bin/su*
# g02组用户禁用'sudo su',
#
ldapdelete -x -W -H ldaps:/// -D cn=manager,dc=suntv,dc=tv ou=sudoer,dc=suntv,dc=tv -r
ldapadd -H ldaps:/// -W -x -D cn=manager,dc=suntv,dc=tv -f sudoer.ldif
客户端
/etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo, ssh # add
config_file_version = 2
domains = ldap
[domain/ldap]
debug_level = 9
cache_credentials = True
enumerate = false
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = # add
ldap_uri = ldaps://master.local,ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_sudo_search_base = ou=Sudoer,dc=suntv,dc=tv # add
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
entry_cache_timeout = 600
ldap_network_timeout = 2
[nss]
homedir_substring = /home
entry_negative_timeout = 20
entry_cache_nowait_percentage = 50
filter_users = root
filter_groups = root
[pam]
[sudo]
[autofs]
[ssh]
[pac]
/etc/nsswitch.conf
sudoers: file sss
禁用su
vim /etc/pam.d/su
去除以下行的注释
auth required pam_wheel.so use_uid
测试
u01
id
uid=1001(u01) gid=2001(g01) groups=2001(g01)
sudo -l
Matching Defaults entries for u01 on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User u01 may run the following commands on this host:
(ALL) NOPASSWD: ALL, !/bin/su*, !/usr/bin/vim /etc/sudoers*, !/bin/vi /etc/sudoers*, !/usr/sbin/visudo, !/usr/sbin/adduser*, !/usr/sbin/useradd*, !/usr/sbin/userdel*, !/usr/sbin/groupadd*,
!/usr/sbin/groupdel*, !/bin/sh, !/bin/bash, !/usr/bin/login
u04
id
uid=1004(u04) gid=2002(g02) groups=2002(g02)
sudo -l
Matching Defaults entries for u04 on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User u04 may run the following commands on this host:
(ALL) NOPASSWD: ALL, !/bin/su*