Cool Solution - Setup sudo with ldap on multiserver environments

From Univention Wiki

(Redirected from Sudo-ldap)
Jump to: navigation, search
Produktlogo UCS Version 4.2
Produktlogo UCC Version 3.0

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Introduction

A useful way to administer (and audit the administration of) your servers is delegating authority via sudo. However, in a large number of systems the sudoers configuration file can be hard to syncronize. Fortunately, sudo may support LDAP (at build time) to distribute the configuration, and as the sudo LDAP readme says: "By using LDAP for sudoers we gain a centrally administered, globally available configuration source for sudo".

The administration of UCS deployments using LDAP-based sudoers is available now with these packages.

For more on the benefits of sudo and sudo LDAP please see the sudo intro and the sudoers LDAP manual

Installation on UCS DC Master / DC Backup

After including the "cool solutions" repository enable the unmaintained repository to make sudo-ldap available:

ucr set repository/online/unmaintained=yes

Install the following package containing the UDM integration on the UCS DC Master and every DC Backup:

univention-install univention-sudo-ldap

Make sure that all join scripts are executed (i.e. in the UMC "domain join" module).

Installation on UCS systems

After including the "cool solutions" repository enable the unmaintained repository to make sudo-ldap available:

ucr set repository/online/unmaintained=yes

Install the following package on all systems that should make use of the "sudo" rules defined using the UDM:

univention-install univention-sudo-ldap-host

It's recommended to use the software distribution functionalities for UCS to make sure the package will be installed on new systems, too.

Delegating authority via UMC/UDM

Now you can set rules in the DC Master either by using the Web interface UMC or the command-line interface UDM.

These are the supported entries:

  • Rules have a name and a description
  • users can be loginnames or groups
  • Individual hostnames can be added to hosts
  • It's recommended to use the full path in the command entry

UMC

The Univention Management Console (UMC) can be used to create, edit and delete sudo LDAP rules.

Once you have logged in UMC, open LDAP Directory in the container: example.com -> univention -> sudo-ldap (cn=sudo-ldap,cn=univention,dc=example,dc=com).

Add LDAP Object can be used to create new sudo rules. See image.

Modifying a sudo rule in UMC (UCS 4.2)

UDM

The command-line interface Univention Directory Manager (UDM) can be now used to add rules to the sudo-ldap container (cn=sudo-ldap,cn=univention,dc=example,dc=com)

udm sudo/rule create \
--position "cn=sudo-ldap,cn=univention,$(ucr get ldap/base)" \
--set name="Package Management" \
--set description="Package handling with apt-get" \
--set hosts="server1.example.com" \
--set users="mmueller" \
--set command="/usr/bin/apt-get"

The rule can be later modified as

udm sudo/rule modify \
--dn "cn=Package Management,cn=sudo-ldap,cn=univention,$(ucr get ldap/base)" \
--append users="cschmidt" \
--append hosts="backup"


To show the content of the rule

udm sudo/rule list \
--dn "cn=Package Management,cn=sudo-ldap,cn=univention,$(ucr get ldap/base)"

The output looks like this:

---
DN: cn=Package Management,cn=sudo-ldap,cn=univention,dc=example,dc=com
ARG: None
 command: /usr/bin/apt-get
 users: mmueller
 users: cschmidt
 hosts: server1.example.com
 hosts: backup
 name: Package Management
 description: Package handling with apt-get
---

Archive

There is an archived version of this article for UCS 3.1.

See also

Personal tools