Re: sudoers in ldap?
On Fri, May 14, 2010 at 08:01:07PM +0200, Petter Reinholdtsen wrote:
> [Andreas B. Mundt]
> > I started now to define a cf rule to edit /etc/sudoers, but hit the
> > package sudo-ldap, which might be a better idea: No policy violating
> > editing of config files but just adding the information to our ldap
> > bootstrapping.
> How does it work? Is it providing a global set of sudo rules in LDAP,
> or sudo rules per machine? I suspect it is unlikely a school want to
> set up sudo the same way on all machines, and thus am unsure if
> sudoers should be in LDAP.
It provides exactly the same options as a sudoers file. There is a
conversion script to translate your sudoers file into a ldif-file
which can be added to ldap.
It looks like the following in gosa:
You can define a sudo role:
A Role contains:
-users or groups this role applies to
-machine(s) the role applies to
-and the userID the commands are executed as
In addition, you can choose from a long list of options, so it looks
as if you can modify and define anything you can define in a standard