[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudoers in ldap?

[Andreas B. Mundt]
> A Role contains: 
>   -users or groups this role applies to
>   -allowed commands
>   -machine(s) the role applies to 
>   -and the userID the commands are executed as

How are machines the role applies to detected?  If it uses hostname,
it is unlikely to work on roaming machines, which might change
hostname when they move around.

I suspect we instead want to add sudo rules per machine (as in
/etc/sudoers) for some groups (like the admin group) and those allowed
to become root on a given machine.  This way we can control sudo
access via LDAP, but then using group membership.

Say something like this:

  +admin                    ALL=(ALL) ALL
  +host-<hostname>-admin    ALL=(ALL) ALL

This way the users listed as members of the admin and
host-<hostname>-admin netgroup are given sudo privileges on the given
machine.  Unfortunately, nscd do not cache netgroups, so it might be
better to use file groups instead, but then we can't use as long user
names and run into the problem with 16 group limit in the NFS

Happy hacking,
Petter Reinholdtsen

Reply to: