[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudoers in ldap?


On Fri, May 14, 2010 at 08:01:07PM +0200, Petter Reinholdtsen wrote:
> [Andreas B. Mundt]
> > I started now to define a cf rule to edit /etc/sudoers, but hit the
> > package sudo-ldap, which might be a better idea: No policy violating
> > editing of config files but just adding the information to our ldap
> > bootstrapping.
> How does it work?  Is it providing a global set of sudo rules in LDAP,
> or sudo rules per machine?  I suspect it is unlikely a school want to
> set up sudo the same way on all machines, and thus am unsure if
> sudoers should be in LDAP.

It provides exactly the same options as a sudoers file. There is a
conversion script to translate your sudoers file into a ldif-file
which can be added to ldap.

It looks like the following in gosa:
You can define a sudo role:

A Role contains: 
  -users or groups this role applies to
  -allowed commands
  -machine(s) the role applies to 
  -and the userID the commands are executed as

In addition, you can choose from a long list of options, so it looks
as if you can modify and define anything you can define in a standard
sudoers file.



Reply to: