Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

  1. #1
    Join Date
    Mar 2010
    Location
    Silicon Valley
    Beans
    7
    Distro
    Ubuntu 9.10 Karmic Koala

    Arrow HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Ubuntu 9.10 (Karmic Koala) SUDO-LDAP Walk-through

    Table of Contents:
    Background
    Assumptions
    Server Configuration
    Client Configuration

    Reference
    Background:

    There are many threads and documentation regarding inital setup of OpenLDAP with HDB on Ubuntu. However, non fully address enabling SUDO access for users in a 100% LDAP environment (that is, no local UNIX account available). This walk-through should address this lack of documentation.

    Assumptions:


    1. You have already installed OpenLDAP for Ubuntu Server 9.10 -

    2. Your current "Base" is "dc=example,dc=com"
    3. Your LDAP Administrator is "dn=admin,dc=example,dc=com"
    4. Your LDAP Server is listening on "127.0.0.1"

    Server Configuration

    1.) Install sudo-ldap package
    I. You will need to drop fully into root mode for this part!
    Code:
    sudo su
    II. Turn off SUDO safety switch
    Code:
    export SUDO_FORCE_REMOVE=yes
    III. Get package
    Code:
    apt-get install sudo-ldap
    IV. Turn on SUDO Safety switch
    Code:
    export SUDO_FORCE_REMOVE=no
    V. Drop back to user-land mode
    Code:
    exit
    2.) Prime LDAP to support SUDO functions with the sudo.schema
    I. Create a directory to work out of
    Code:
    mkdir ~/sudoWork
    II. Copy the sudo Schema into the LDAP schema repository
    Code:
    sudo cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
    III. Create a conversion file for schema
    Code:
    sudo echo "include /etc/ldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf
    IV. Now run the "Schema" to "LDIF" command slapcat
    Code:
    slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~sudoWork/cn\=sudo.ldif
    V. Clean-up outputted file (it will contain items that will break existing database if not removed!)
    Code:
    vi ~/sudoWork/cn\=sudo.ldif
    ... And insure top of file looks EXACTLY like this:
    Code:
    dn: cn=sudo,cn=schema,cn=config
    objectClass: olcSchemaConfig
    cn: sudo
    ... And insure bottom of file has ALL of the following removed:
    NOTE: Your "Timestamp" line will be different time! This is OK!
    Code:
    structuralObjectClass: olcSchemaConfig
    entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
    creatorsName: cn=config
    createTimestamp: 20080826021140Z
    entryCSN: 20080826021140.791425Z#000000#000#000000
    modifiersName: cn=config
    modifyTimestamp: 20080826021140Z
    VI. Now load this schema into the LDAP server
    Code:
    ldapadd -x -D cn=admin,cn=config -W -f ~/sudoWork/cn\=sudo.ldif
    SUPPORT: This is where stuff breaks a lot! You cannot move forward in How-To unless Step 2 is complete! Reply to thread for support help!

    VII. Add Sudo Schema Index support
    WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your configuration file!
    Code:
    sudo echo "index    sudoUser    eq" >> /etc/ldap.conf
    VIII. Reload your LDAP for changes to take effect
    Code:
    sudo /etc/init.d/slapd restart
    3.) Build and Deploy the SUDO LDAP Container
    I. Create the file ~/sudoWork/sudoMaster.ldif ...
    Code:
    vi ~/sudoWork/sudoMaster.ldif
    ...And populate it with the following lines:
    Code:
    dn: ou=SUDOers,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: SUDOers
    serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com
    II. Now convert your old /etc/sudoers configuration into LDAP modules
    Code:
    sudo su
    Code:
    SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
    Code:
    export SUDOERS_BASE
    WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!
    Code:
    perl /usr/share/doc/sudo-ldap/sudoers2ldif /etc/sudoers >> ~/sudoWork/sudoMaster.ldif
    exit
    III. Now lets load configuration into LDAP
    Code:
    ldapadd -f ~/sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=example,dc=com -W -x
    Client Configuration

    1.) Install LDAP Client Configuration
    I. Get LibNSS-LDAP package
    TIP! Have your LDAP IP, Base Name, Admin Account and Admin Password Handy before executing this command
    Code:
    sudo apt-get install libnss-ldap
    ...nCurses based setup screen will ask you information about your LDAP setup
    II. Enable LDAP Support in PAM system
    Code:
    sudo auth-client-config -t nss -p lac_ldap
    III. Verify PAM based LDAP Support
    Code:
    sudo pam-auth-update

    NOTE: Skip Step 2 for installation on the LDAP server as we already did this above!

    2.) Install sudo-ldap package
    I. You will need to drop fully into root mode for this part!
    Code:
    sudo su
    II. Turn off SUDO safety switch
    Code:
    export SUDO_FORCE_REMOVE=yes
    III. Get package
    Code:
    apt-get install sudo-ldap
    IV. Turn on SUDO Safety switch
    Code:
    export SUDO_FORCE_REMOVE=no
    V. Drop back to user-land mode
    Code:
    exit
    3.) Manually setup sudo redirection from /etc/sudoers to LDAP directory
    I. Add support for sudo extentions in /etc/ldap.conf
    WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!
    Code:
    sudo echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap.conf
    II. Symbolically link Sudo Ldap Config file to main LDAP config file
    NOTE: This is not obvious in ANY documentation I have reviewed, only support forums reveled this
    Code:
    sudo ln -s /etc/ldap.conf /etc/sudo-ldap.conf
    III. Add support for sudo / ldap communication in NS Switch configuration
    WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!
    Code:
    sudo echo "sudoers: ldap" >> /etc/nsswitch.conf
    Reference

    OpenLDAP Server Installation Guide (official) https://help.ubuntu.com/9.10/serverg...ap-server.html

    HowTo: OpenLDAP and Karmic
    http://ubuntuforums.org/showthread.php?t=1313472

    SUDO LDAP ReadMe File
    http://www.gratisoft.us/sudo/readme_ldap.html

    SUDO LDAP Manual
    http://www.gratisoft.us/sudo/man/sud..._nsswitch_conf

    Can't get sudo to work with ldap
    http://ubuntuforums.org/showthread.php?t=803212

    sudo-ldap: should use alternative config file [patch]
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430826


    Last edited by hackajar; April 13th, 2010 at 08:52 PM. Reason: Grammar

  2. #2
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Oh wow, great guide! Altough i'm having a problem with step 3 of step 3 . When i tipe in
    Code:
    ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x
    (i deleted ~/ in every entry since it gave me problems) It gives me this result:
    Code:
    ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x 
    Enter LDAP Password:
    ldapadd: attributeDescription "dn": (possible missing newline after line 7, entry "ou=SUDOers,dc=prvi-dijak,dc=si"?)
    adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si"
    ldap_add: Type or value exists (20)
            additional info: objectClass: value #0 provided more than once
    Any ideas?


    Oh, and a few more issues i noticed:
    Problem 1: It said permission denied on:
    Code:
    sudo echo "index    sudoUser    eq" >> /etc/ldap.conf
    so i manually inserted the line (index sudoUser eq) at the end of the file.
    Problem 2: You have a typo in the "sudo /etc/init.d/sldap restart" command. Should be like this "sudo /etc/init.d/slapd restart" i assume (slapd instead of sldap).


    Great tutorial BTW!!!


    EDIT:

    My sudoMaster.ldif starts like this:
    Code:
    dn: ou=SUDOers,dc=prvi-dijak,dc=si
    objectClass: top
    objectClass: organizationalUnit
    ou: SUDOers
    serviceSearchDescriptor: sudoers: ou=sudoers,dc=prvi-dijak,dc=si
    dn: cn=defaults,ou=SUDOers,dc=prvi-dijak,dc=si
    objectClass: top
    objectClass: sudoRole
    cn: defaults
    description: Default sudoOption's go here
    sudoOption: env_reset
    I'm guessing there's supposed to be a break somewhere there? Not after serviceSearchDescriptor, that gives a "attribute type undefined" error.
    Last edited by Squeazer; April 13th, 2010 at 08:41 PM.

  3. #3
    Join Date
    Mar 2010
    Location
    Silicon Valley
    Beans
    7
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Try the following:

    * Blow out (delete) SudoMaster file
    * Create same file again with steps, stopping before the perl command step.
    * Run THAT file into ldap (step 3 of 3)
    * Run perl command on NEW output file
    * Run THAT file into ldap (like in step 3 of 3).

    Hopefully this will fix your issue.

    P.S. since you already ran master file, you may get a notice that stuff is already added, you can ignore this message if it comes up.

  4. #4
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Still no go. I get this message:

    Code:
    ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x
    Enter LDAP Password:
    adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si"
    ldap_add: Undefined attribute type (17)
            additional info: serviceSearchDescriptor: attribute type undefined
    P.S. I am running the latest version of OpenLDAP - 2.4
    Last edited by Squeazer; April 13th, 2010 at 09:03 PM.

  5. #5
    Join Date
    Mar 2010
    Location
    Silicon Valley
    Beans
    7
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Ah-ha!

    Recheck that everything was done correctly in section 2:II-VI. This error is a result of the sudo scheme not being correctly initialized on the server. It is VERY important that step 2:V is followed to a T.

  6. #6
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Hmm, will do, could you just give me a command to delete the old scheme from the LDAP server, since when i try to add the new one it prints out:

    Code:
    ldapadd -x -D cn=admin,cn=config -W -f sudoWork/cn\=sudo.ldif
    Enter LDAP Password:
    adding new entry "cn=sudo,cn=schema,cn=config"
    ldap_add: Other (e.g., implementation specific) error (80)
            additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.4.1.15953.9.1.1"
    Or will ldapadd add the scheme anyway?

  7. #7
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    ok, i manually deleted the schema, added it again (i was carefull) and the same thing. When i try to add the file (just those 5 lines) i get the "attribute type undefined" error.

  8. #8
    Join Date
    Mar 2010
    Location
    Silicon Valley
    Beans
    7
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Try double checking that all standard scheme are installed correctly:

    http://ubuntuforums.org/showthread.php?t=1313472

    Code:
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

  9. #9
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    yes, they all are, I followed that tutorial. These are the schemas I have installed:

    cn={0}core.ldif
    cn={1}cosine.ldif
    cn={2}inetorgperson.ldif
    cn={3}nis.ldif
    cn={4}sudo.ldif

    I also did this if it makes any difference: http://www.youtube.com/watch?v=kSCx3tzC0cA

  10. #10
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Well, i can manualy create (and i did) the organisational unit in phpLDAPadmin but i see no way of adding the serviceSearchDescriptor attribute. Is there a way to do it?
    EDIT:
    LDAPsoft Ldap Amin Tool (windows) doesn't list that attribute either, so perhaps i'm missing a schema for that? I'm really just getting started with LDAP and i'm kinda lost.
    Last edited by Squeazer; April 14th, 2010 at 05:31 PM.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •