Ubuntu 9.10 (Karmic Koala) SUDO-LDAP Walk-through
Table of Contents:Background
Assumptions
Server Configuration
Client Configuration
Reference
Background:
There are many threads and documentation regarding inital setup of OpenLDAP with HDB on Ubuntu. However, non fully address enabling SUDO access for users in a 100% LDAP environment (that is, no local UNIX account available). This walk-through should address this lack of documentation.
Assumptions:
- You have already installed OpenLDAP for Ubuntu Server 9.10 -
- Your current "Base" is "dc=example,dc=com"
- Your LDAP Administrator is "dn=admin,dc=example,dc=com"
- Your LDAP Server is listening on "127.0.0.1"
Server Configuration
1.) Install sudo-ldap package I. You will need to drop fully into root mode for this part!
II. Turn off SUDO safety switch
Code:
export SUDO_FORCE_REMOVE=yes
III. Get package
Code:
apt-get install sudo-ldap
IV. Turn on SUDO Safety switch
Code:
export SUDO_FORCE_REMOVE=no
V. Drop back to user-land mode
2.) Prime LDAP to support SUDO functions with the sudo.schemaI. Create a directory to work out of
II. Copy the sudo Schema into the LDAP schema repository
Code:
sudo cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
III. Create a conversion file for schema
Code:
sudo echo "include /etc/ldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf
IV. Now run the "Schema" to "LDIF" command
slapcat
Code:
slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~sudoWork/cn\=sudo.ldif
V. Clean-up outputted file (it will contain items that will break existing database if not removed!)
Code:
vi ~/sudoWork/cn\=sudo.ldif
... And insure top of file looks EXACTLY like this:
Code:
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
... And insure bottom of file has ALL of the following removed:
NOTE: Your "Timestamp" line will be different time! This is OK!
Code:
structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z
VI. Now load this schema into the LDAP server
Code:
ldapadd -x -D cn=admin,cn=config -W -f ~/sudoWork/cn\=sudo.ldif
SUPPORT: This is where stuff breaks a lot!
You cannot move forward in How-To unless Step 2 is complete! Reply to thread for support help!
VII. Add Sudo Schema Index support
WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your configuration file!
Code:
sudo echo "index sudoUser eq" >> /etc/ldap.conf
VIII. Reload your LDAP for changes to take effect
Code:
sudo /etc/init.d/slapd restart
3.) Build and Deploy the SUDO LDAP ContainerI. Create the file ~/sudoWork/sudoMaster.ldif ...
Code:
vi ~/sudoWork/sudoMaster.ldif
...And populate it with the following lines:
Code:
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
II. Now convert your old /etc/sudoers configuration into LDAP modules
Code:
SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
Code:
export SUDOERS_BASE
WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!
Code:
perl /usr/share/doc/sudo-ldap/sudoers2ldif /etc/sudoers >> ~/sudoWork/sudoMaster.ldif
exit
III. Now lets load configuration into LDAP
Code:
ldapadd -f ~/sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=example,dc=com -W -x
Client Configuration
1.) Install LDAP Client Configuration
I. Get LibNSS-LDAP package
TIP! Have your LDAP IP, Base Name, Admin Account and Admin Password Handy before executing this command
Code:
sudo apt-get install libnss-ldap
...nCurses based setup screen will ask you information about your LDAP setup
II. Enable LDAP Support in PAM system
Code:
sudo auth-client-config -t nss -p lac_ldap
III. Verify PAM based LDAP Support
Code:
sudo pam-auth-update
NOTE: Skip Step 2 for installation on the LDAP server as we already did this above!
2.) Install sudo-ldap package I. You will need to drop fully into root mode for this part!
II. Turn off SUDO safety switch
Code:
export SUDO_FORCE_REMOVE=yes
III. Get package
Code:
apt-get install sudo-ldap
IV. Turn on SUDO Safety switch
Code:
export SUDO_FORCE_REMOVE=no
V. Drop back to user-land mode
3.) Manually setup sudo redirection from /etc/sudoers to LDAP directory
I. Add support for sudo extentions in /etc/ldap.conf
WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!
Code:
sudo echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap.conf
II. Symbolically link Sudo Ldap Config file to main LDAP config file
NOTE: This is not obvious in ANY documentation I have reviewed, only support forums reveled this
Code:
sudo ln -s /etc/ldap.conf /etc/sudo-ldap.conf
III. Add support for sudo / ldap communication in NS Switch configuration
WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!
Code:
sudo echo "sudoers: ldap" >> /etc/nsswitch.conf
Reference
OpenLDAP Server Installation Guide (official) https://help.ubuntu.com/9.10/serverg...ap-server.html
HowTo: OpenLDAP and Karmic http://ubuntuforums.org/showthread.php?t=1313472
SUDO LDAP ReadMe File http://www.gratisoft.us/sudo/readme_ldap.html
SUDO LDAP Manual http://www.gratisoft.us/sudo/man/sud..._nsswitch_conf
Bookmarks