Settings of sudoers with LDAP groups

[Benjamin GUILLON]

Hi,

I installed WebAdm and OpenOTP to secure SSH connection on CentOS 6 servers. It works. I use the /etc/pam.d/sshd file and other files like /etc/ssh/sshd_config, /etc/nslcd.conf, /etc/nsswitch.conf, /etc/pam-ldap.conf.

Then I configured the  /etc/sudoers file and the /etc/pam.d/sudo file to authorize my users to execute the "sudo su" command. It also works ! But I've a lots of servers to configure and I don't want to have to modify those files for each new user on each server.

I wish to know if I can authorise a LDAP group to use the "sudo su" command just as I authorize an only user in the /etc/sudoers file ?

Benjamin

[Administrators]

There is a possibility:

In the /etc/pam.d/sudo you can put a different client_id for set of servers which require different access policies.

Then in WebADM you create some Client Policy objects (named with the same client_id's as used in PAM). 

You can put restrictions in the client policies such as allowing a LDAP group of users or a location or work time etc..

Look at WebADM Admin Guide for Client Policies.

[Benjamin GUILLON]

Hi,

I already do that but I need to add each of my user in the /etc/sudoers file anyway. My question is : Is there a way to just configure a LDAP group (and not each users) in /etc/sudoers ?

Benjamin

[Administrators]

Yes in WebADM you can setup UNIX groups (add posixGroup extension to normal groups).

Then in your PAM-LDAP, the LDAP groups become UNIX groups and then you can use them anywhere in Linux (even in the sudoers).  

[Administrators]

In the posix groups I think you will need to add user members with the Group Member UID attribute and not the Group Member attribute for Linux to understand the group members. Because not sure PAM LDAP understands the members with LDAP DN.

[Benjamin GUILLON]

Well I changed the LDAP schema and I add the sudo.schema that I found in the sudoers.ldap man page.