Re: sudoers in ldap?

To: debian-edu@lists.debian.org
Subject: Re: sudoers in ldap?
From: Petter Reinholdtsen <pere@hungry.com>
Date: Sat, 15 May 2010 09:20:07 +0200
Message-id: <[🔎] 20100515072007.GD30252@login1.uio.no>
In-reply-to: <[🔎] 20100514184355.GA12116@flashgordon>
References: <[🔎] 20100514080455.GA5088@flashgordon> <[🔎] 20100514180107.GB30252@login1.uio.no> <[🔎] 20100514184355.GA12116@flashgordon>

[Andreas B. Mundt]
> A Role contains: 
>   -users or groups this role applies to
>   -allowed commands
>   -machine(s) the role applies to 
>   -and the userID the commands are executed as

How are machines the role applies to detected?  If it uses hostname,
it is unlikely to work on roaming machines, which might change
hostname when they move around.

I suspect we instead want to add sudo rules per machine (as in
/etc/sudoers) for some groups (like the admin group) and those allowed
to become root on a given machine.  This way we can control sudo
access via LDAP, but then using group membership.

Say something like this:

  +admin                    ALL=(ALL) ALL
  +host-<hostname>-admin    ALL=(ALL) ALL

This way the users listed as members of the admin and
host-<hostname>-admin netgroup are given sudo privileges on the given
machine.  Unfortunately, nscd do not cache netgroups, so it might be
better to use file groups instead, but then we can't use as long user
names and run into the problem with 16 group limit in the NFS
protocol.

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

References:
- sudoers in ldap?
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: sudoers in ldap?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: sudoers in ldap?
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

Prev by Date: Re: sudoers in ldap?
Next by Date: how to make sure slapd is started before krb5-kdc
Previous by thread: Re: sudoers in ldap?
Next by thread: Re: r64170 - in trunk/src/debian-edu: debian tasks
Index(es):
- Date
- Thread