{"id":4750,"date":"2019-12-12T23:20:16","date_gmt":"2019-12-12T20:20:16","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4750"},"modified":"2024-03-12T23:36:36","modified_gmt":"2024-03-12T20:36:36","slug":"how-to-configure-sudo-via-openldap-server","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-configure-sudo-via-openldap-server\/","title":{"rendered":"How to Configure SUDO via OpenLDAP Server"},"content":{"rendered":"\n<p>Well, in this guide, we are going to demonstrate how to configure SUDO via OpenLDAP Server. Apart from being able to provide sudo rights on a local system, <a aria-label=\"sudo&nbsp;can also be configured via LDAP (opens in a new tab)\" href=\"https:\/\/www.sudo.ws\/man\/1.8.17\/sudoers.ldap.man.html\" target=\"_blank\" rel=\"noreferrer noopener\">sudo&nbsp;can also be configured via LDAP<\/a>. Providing SUDO via OpenLDAP eliminates the need to give users sudo privileges via the local system sudoers file.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-sudo-via-open-ldap-server\">Configuring SUDO via OpenLDAP Server<\/a><ul><li><a href=\"#create-open-ldap-sud-oers-organization-unit-ou\">Create OpenLDAP SUDOers Organization Unit (ou)<\/a><\/li><li><a href=\"#create-defaults-entry-on-sud-oers-open-ldap-ou\">Create Defaults Entry on SUDOers OpenLDAP OU<\/a><\/li><li><a href=\"#convert-sudoers-file-to-ldap-ldif\">Convert sudoers file to LDAP LDIF<\/a><\/li><li><a href=\"#update-open-ldap-database\">Update OpenLDAP Database<\/a><\/li><li><a href=\"#configure-ldap-sudo-nopasswd\">Configure LDAP SUDO NOPASSWD<\/a><\/li><\/ul><\/li><li><a href=\"#configure-open-ldap-client-to-provide-sudo-rights\">Configure OpenLDAP Client to Provide SUDO rights<\/a><ul><li><a href=\"#enable-auto-create-users-home-directory\">Enable Auto Create User&#8217;s Home Directory<\/a><\/li><li><a href=\"#assigning-user-sudo-rights-on-specific-host\">Assigning User SUDO rights on Specific Host<\/a><\/li><li><a href=\"#testing-open-ldap-authentication-on-ubuntu-18-04\">Testing OpenLDAP Authentication on Ubuntu 18.04<\/a><\/li><li><a href=\"#verify-sudo-privileges\">Verify SUDO Privileges<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-sudo-via-open-ldap-server\">Configuring SUDO via OpenLDAP Server<\/h2>\n\n\n\n<p>In order to configure SUDO via OpenLDAP server, you need to load and enable OpenLDAP sudo schemas. We have addressed this in our previous guide on how to install and setup OpenLDAP on CentOS 8.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\">Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n<p>Assuming that you have enabled OpenLDAP support for sudo as described in our guide above, proceed with configurations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-sud-oers-organization-unit-ou\">Create OpenLDAP SUDOers Organization Unit (ou)<\/h3>\n\n\n\n<p>Before you can configure SUDO via OpenLDAP Server, you need to create SUDOers ou on your Organization directory structure.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim sudoersou.ldif<\/code><\/pre>\n\n\n\n<p><em>Replace your domain components and description accordingly<\/em>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectclass: organizationalunit\nou: SUDOers\ndescription: Kifarunix-demo LDAP SUDO Entry<\/code><\/pre>\n\n\n\n<p>Update the OpenLDAP database with the SUDOers organizational unit entry above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f sudoersou.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-defaults-entry-on-sud-oers-open-ldap-ou\">Create Defaults Entry on SUDOers OpenLDAP OU<\/h3>\n\n\n\n<p>According to <code>sudoers.ldap<\/code> man pages, sudo first look for the&nbsp;<code>cn=defaults<\/code>&nbsp;entry in the SUDOers OU. If found, the multi-valued&nbsp;<code>sudoOption<\/code>&nbsp;attribute is parsed in the same manner as a global&nbsp;<code>Defaults<\/code>&nbsp;line in&nbsp;<code>\/etc\/sudoers<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"convert-sudoers-file-to-ldap-ldif\">Convert sudoers file to LDAP LDIF<\/h3>\n\n\n\n<p>So how do you create the SUDOers default entry with all the necessary sudo attributes? Well, to make this easy, convert your local sudoers file, <code>\/etc\/sudoers<\/code>, into OpenLDAP format and modify it to your satisfaction.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OpenLDAP usually ships with a perl script, <code>sudoers2ldif<\/code>, that is used to convert sudoers file to OpenLDAP LDIF file.<\/li>\n\n\n\n<li>It also ships with another tool called, <code>cvtsudoers<\/code> that can help you achieve the same task as <code>sudoers2ldif<\/code> script.<\/li>\n<\/ul>\n\n\n\n<p>Locate the sudoers to OpenLDAP ldif perl script.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>find \/ -iname sudoers2ldif<\/code><\/pre>\n\n\n\n<p>Well, if you cannot find it, then you can pull it from this <a rel=\"noreferrer noopener\" aria-label=\"Github repository (opens in a new tab)\" href=\"https:\/\/github.com\/lbt\/sudo\/blob\/master\/plugins\/sudoers\/sudoers2ldif\" target=\"_blank\">Github repository<\/a>. Click check the raw version and download it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/raw.githubusercontent.com\/lbt\/sudo\/master\/plugins\/sudoers\/sudoers2ldif<\/code><\/pre>\n\n\n\n<p>The script simply looks like;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>less sudoers2ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n#!\/usr\/bin\/env perl\n#\n# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>\n#\n# Permission to use, copy, modify, and distribute this software for any\n# purpose with or without fee is hereby granted, provided that the above\n# copyright notice and this permission notice appear in all copies.\n#\n# THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\n# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\n# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\n# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n#\nuse strict;\n#\n# Converts a sudoers file to LDIF format in prepration for loading into\n# the LDAP server.\n#\n# BUGS:\n#   Does not yet handle multiple lines with : in them\n#   Does not yet remove quotation marks from options\n#   Does not yet escape + at the beginning of a dn\n#   Does not yet handle line wraps correctly\n#   Does not yet handle multiple roles with same name (needs tiebreaker)\n#\n# CAVEATS:\n#   Sudoers entries can have multiple RunAs entries that override former ones,\n#\twith LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole\nmy %RA;\nmy %UA;\nmy %HA;\nmy %CA;\nmy $base=$ENV{SUDOERS_BASE} or die \"$0: Container SUDOERS_BASE undefined\\n\";\nmy @options=();\nmy $did_defaults=0;\nmy $order = 0;\n# parse sudoers one line at a time\nwhile (<>){\n  # remove comment\n  s\/#.*\/\/;\n  # line continuation\n  $_.=<> while s\/\\\\\\s*$\/\/s;\n  # cleanup newline\n  chomp;\n  # ignore blank lines\n  next if \/^\\s*$\/;\n  if (\/^Defaults\\s+\/i) {\n    my $opt=$';\n    $opt=~s\/\\s+$\/\/; # remove trailing whitespace\n    push @options,$opt;\n  } elsif (\/^(\\S+)\\s+([^=]+)=\\s*(.*)\/) {\n    # Aliases or Definitions\n    my ($p1,$p2,$p3)=($1,$2,$3);\n    $p2=~s\/\\s+$\/\/; # remove trailing whitespace\n    $p3=~s\/\\s+$\/\/; # remove trailing whitespace\n    if ($p1 eq \"User_Alias\") {\n      $UA{$p2}=$p3;\n    } elsif ($p1 eq \"Runas_Alias\") {\n      $RA{$p2}=$p3;\n    } elsif ($p1 eq \"Host_Alias\") {\n      $HA{$p2}=$p3;\n    } elsif ($p1 eq \"Cmnd_Alias\") {\n      $CA{$p2}=$p3;\n    } else {\n      if (!$did_defaults++){\n        # do this once\n        print \"dn: cn=defaults,$base\\n\";\n        print \"objectClass: top\\n\";\n        print \"objectClass: sudoRole\\n\";\n        print \"cn: defaults\\n\";\n        print \"description: Default sudoOption's go here\\n\";\n        print \"sudoOption: $_\\n\" foreach @options;\n        printf \"sudoOrder: %d\\n\", ++$order;\n        print \"\\n\";\n      }\n      # Definition\n      my @users=split \/\\s*,\\s*\/,$p1;\n      my @hosts=split \/\\s*,\\s*\/,$p2;\n      my @cmds= split \/\\s*,\\s*\/,$p3;\n      @options=();\n      print \"dn: cn=$users[0],$base\\n\";\n      print \"objectClass: top\\n\";\n      print \"objectClass: sudoRole\\n\";\n      print \"cn: $users[0]\\n\";\n      # will clobber options\n      print \"sudoUser: $_\\n\"   foreach expand(\\%UA,@users);\n      print \"sudoHost: $_\\n\"   foreach expand(\\%HA,@hosts);\n      foreach (@cmds) {\n\tif (s\/^\\(([^\\)]+)\\)\\s*\/\/) {\n\t  my @runas = split(\/:\\s*\/, $1);\n\t  if (defined($runas[0])) {\n\t    print \"sudoRunAsUser: $_\\n\" foreach expand(\\%RA, split(\/,\\s*\/, $runas[0]));\n\t  }\n\t  if (defined($runas[1])) {\n\t    print \"sudoRunAsGroup: $_\\n\" foreach expand(\\%RA, split(\/,\\s*\/, $runas[1]));\n\t  }\n\t}\n      }\n      print \"sudoCommand: $_\\n\" foreach expand(\\%CA,@cmds);\n      print \"sudoOption: $_\\n\" foreach @options;\n      printf \"sudoOrder: %d\\n\", ++$order;\n      print \"\\n\";\n    }\n  } else {\n    print \"parse error: $_\\n\";\n  }\n}\n#\n# recursively expand hash elements\nsub expand{\n  my $ref=shift;\n  my @a=();\n  # preen the line a little\n  foreach (@_){\n    # if NOPASSWD: directive found, mark entire entry as not requiring\n    s\/NOPASSWD:\\s*\/\/ && push @options,\"!authenticate\";\n    s\/PASSWD:\\s*\/\/ && push @options,\"authenticate\";\n    s\/NOEXEC:\\s*\/\/ && push @options,\"noexec\";\n    s\/EXEC:\\s*\/\/ && push @options,\"!noexec\";\n    s\/SETENV:\\s*\/\/ && push @options,\"setenv\";\n    s\/NOSETENV:\\s*\/\/ && push @options,\"!setenv\";\n    s\/LOG_INPUT:\\s*\/\/ && push @options,\"log_input\";\n    s\/NOLOG_INPUT:\\s*\/\/ && push @options,\"!log_input\";\n    s\/LOG_OUTPUT:\\s*\/\/ && push @options,\"log_output\";\n    s\/NOLOG_OUTPUT:\\s*\/\/ && push @options,\"!log_output\";\n    s\/[[:upper:]]+:\/\/; # silently remove other tags\n    s\/\\s+$\/\/; # right trim\n  }\n  # do the expanding\n  push @a,$ref->{$_} ? expand($ref,split \/\\s*,\\s*\/,$ref->{$_}):$_ foreach @_;\n  @a;\n}\n\ufeff<\/code><\/pre>\n\n\n\n<p>Create a bash environment variable defining  your SUDOers organization unit entry created above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>export SUDOERS_BASE=\"ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo $SUDOERS_BASE<\/code><\/pre>\n\n\n\n<p>Next, convert the <code>\/etc\/sudoers<\/code> file into LDAP ldif file to create the required SUDOers ou defaults entry.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>perl sudoers2ldif \/etc\/sudoers &gt; sudoers_defaults.ldif<\/code><\/pre>\n\n\n\n<p>You can as well use <code>cvtsudoers<\/code> command to convert the sudoers file to an LDIF format.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cvtsudoers \/etc\/sudoers -f ldif -o sudoers_defaults.ldif<\/code><\/pre>\n\n\n\n<p>So what are the contents of the <code>sudoers_defaults.ldif<\/code>?<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat sudoers_defaults.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>dn: cn=defaults,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: defaults\ndescription: Default sudoOption's go here\nsudoOption: !visiblepw\nsudoOption: always_set_home\nsudoOption: match_group_by_gid\nsudoOption: always_query_group_plugin\nsudoOption: env_reset\nsudoOption: env_keep =  \"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\"\nsudoOption: env_keep += \"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\"\nsudoOption: env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"\nsudoOption: env_keep += \"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\"\nsudoOption: env_keep += \"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\"\nsudoOption: secure_path = \/sbin:\/bin:\/usr\/sbin:\/usr\/bin\nsudoOrder: 1\n\ndn: cn=root,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: root\nsudoUser: root\nsudoHost: ALL\nsudoRunAsUser: ALL\nsudoCommand: ALL\nsudoOrder: 2\n\ndn: cn=%wheel,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: %wheel\nsudoUser: %wheel\nsudoHost: ALL\nsudoRunAsUser: ALL\nsudoCommand: ALL\nsudoOrder: 3\n<\/code><\/pre>\n\n\n\n<p>As you can see, the sudoers file in LDAP ldif format contains the SUDOers OU, multi-valued&nbsp;<code>sudoOption<\/code>&nbsp;attributes, the root user cn, and wheel group defined.<\/p>\n\n\n\n<p>Sudo attributes used above:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>sudoOption<\/strong>: Similar to Defaults option in <code>\/etc\/sudoers<\/code> file.\n<ul class=\"wp-block-list\">\n<li><strong>For example, below are the \/etc\/sudoers options and how you can use them on LDAP SUDO:<\/strong>\n<ul class=\"wp-block-list\">\n<li>NOPASSWD: <strong>!authenticate<\/strong><\/li>\n\n\n\n<li>PASSWD: <strong>authenticate<\/strong><\/li>\n\n\n\n<li>NOEXEC: <strong>noexec<\/strong><\/li>\n\n\n\n<li>EXEC: <strong>!noexec<\/strong><\/li>\n\n\n\n<li>SETENV: <strong>setenv<\/strong><\/li>\n\n\n\n<li>NOSETENV: <strong>!setenv<\/strong><\/li>\n\n\n\n<li>LOG_INPUT: <strong>log_input<\/strong><\/li>\n\n\n\n<li>NOLOG_INPUT: <strong>!log_input<\/strong><\/li>\n\n\n\n<li>LOG_OUTPUT: <strong>log_output<\/strong><\/li>\n\n\n\n<li>NOLOG_OUTPUT: <strong>!log_output<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>sudoUser<\/strong>: defines a user name, user ID (prefixed with \u2018<code>#<\/code>\u2019), Unix group name or ID (prefixed with \u2018<code>%<\/code>\u2019 or \u2018<code>%#<\/code>\u2019 respectively), user netgroup (prefixed with \u2018<code>+<\/code>\u2019), or non-Unix group name or ID (prefixed with \u2018<code>%:<\/code>\u2019 or \u2018<code>%:#<\/code>\u2019 respectively)<\/li>\n\n\n\n<li> <strong>sudoHost<\/strong>: A hostname, IP address, IP network, or host netgroup (prefixed with a \u2018<code>+<\/code>\u2019) or <code>ALL<\/code>&nbsp;value to match any host.<\/li>\n\n\n\n<li> <strong>sudoRunAsUser<\/strong>: A username or uid (prefixed with \u2018<code>#<\/code>\u2019) that commands may be run as or a Unix group (prefixed with a \u2018<code>%<\/code>\u2019) or user netgroup (prefixed with a \u2018<code>+<\/code>\u2019) that contains a list of users that commands may be run as. <code>ALL<\/code>&nbsp;value matches any user.<\/li>\n\n\n\n<li> <strong>sudoCommand<\/strong>: Specifies a fully-qualified Unix command name with optional command line arguments. Use <code>ALL<\/code>&nbsp;to match any command.<\/li>\n<\/ul>\n\n\n\n<p>So, before updating the OpenLDAP database with SUDOers configurations, you can modify the SUDOers LDAP ldif file above.<\/p>\n\n\n\n<p>For example, remove the defined root user and wheel group and add the users that you want to assign SUDO rights via LDAP on the remote clients.<\/p>\n\n\n\n<p>Also, remove the <code>sudoOrder<\/code> attributes.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > modified-sudoer2ldif.ldif << 'EOL'\ndn: cn=defaults,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: defaults\ndescription: Kifarunix-demo SUDO via LDAP\nsudoOption: !visiblepw\nsudoOption: always_set_home\nsudoOption: match_group_by_gid\nsudoOption: always_query_group_plugin\nsudoOption: env_reset\nsudoOption: env_keep =  \"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\"\nsudoOption: env_keep += \"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\"\nsudoOption: env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"\nsudoOption: env_keep += \"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\"\nsudoOption: env_keep += \"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\"\nsudoOption: env_keep+=SSH_AUTH_SOCK\nsudoOption: secure_path = \/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\ndn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: sudo\nsudoUser: janedoe\nsudoHost: ALL\nsudoRunAsUser: ALL\nsudoCommand: ALL\nEOL\n<\/code><\/pre>\n\n\n\n<p>In the above, we created an entry called sudo under the SUDOers ou and assign a user called <strong>janedoe<\/strong> SUDO rights to run all commands as any user on any system, which is similar to the line below on <code>\/etc\/sudoers<\/code> file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>janedoe ALL=(ALL:ALL) ALL<\/code><\/pre>\n\n\n\n<p>Note that the user must be existing on the OpenLDAP database.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"update-open-ldap-database\">Update OpenLDAP Database<\/h3>\n\n\n\n<p>Next, load the SUDOers configuration into the OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f modified-sudoer2ldif.ldif<\/code><\/pre>\n\n\n\n<p>If you need to add another user to the role above;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat &gt; add-to-sudo-role.ldif &lt;&lt; 'EOL'\ndn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\nadd: sudoUser\nsudoUser: johndoe\nEOL<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f add-to-sudo-role.ldif<\/code><\/pre>\n\n\n\n<p>To create a different sudo role, say to allow users to run specific commands,see below. The role names can be anything descriptive.<\/p>\n\n\n\n<p>For example, to allow a user called mibeyam to run useradd command only with sudo, create an ldif file like as shown below and update OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat &gt; sudo-specific-cmd.ldif &lt;&lt; 'EOL'\ndn: cn=cmdrole,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: cmdrole\nsudoUser: mibeyam\nsudoHost: ALL\nsudoRunAsUser: ALL\nsudoCommand: \/usr\/sbin\/useradd\n'EOL'<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f sudo-specific-cmd.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-ldap-sudo-nopasswd\"><a href=\"#ldap-sudo-nopasswd\">Configure LDAP SUDO NOPASSWD<\/a><\/h3>\n\n\n\n<p>Sometimes you may want to allow some users to run SUDO command without ldap-sudo-nopasswd being prompted for password.<\/p>\n\n\n\n<p>For this, you can use the NOPASSWD OpenLDAP SUDO option, <code><strong>!authenticate<\/strong><\/code> with the <code><strong>sudoOption<\/strong><\/code> attribute. See example below<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: cn=koromicha,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\ncn: koromicha\nobjectclass: top\nobjectclass: sudoRole\nsudocommand: ALL\nsudohost: ALL\n<strong>sudooption: !authenticate\n<\/strong>sudorunasuser: ALL\nsudouser: koromicha<\/code><\/pre>\n\n\n\n<p>This user, will then run all the SUDO commands with no password.<\/p>\n\n\n\n<p>To list the SUDOers OU, simply run;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -b \"$SUDOERS_BASE\" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x sudoUser<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-open-ldap-client-to-provide-sudo-rights\">Configure OpenLDAP Client to Provide SUDO rights<\/h2>\n\n\n\n<p>To test and confirm the provision of SUDO by OpenLDAP, setup a client to authentication via OpenLDAP. In this demo, we are using SSSD on an Ubuntu 18.04 system to provide LDAP authentication.<\/p>\n\n\n\n<p>So first login to an Ubuntu 18.04 system and setup client authentication as follows.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<p>Install SSSD and other required packages.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install sssd libpam-sss libnss-sss vim sssd-tools libsss-sudo<\/code><\/pre>\n\n\n\n<p>Create SSSD configuration file with the following content.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n<p>Replace the values of <code>ldap_default_bind_dn<\/code> and <code>ldap_default_authtok<\/code> with your Bind DN and its password. Also, replace the Base DN, LDAP URI, SUDOers search base,and ldap filter accordingly.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>[sssd]\nservices = nss, pam, sudo\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nsudo_provider = ldap\nldap_uri = ldaps:\/\/ldapmaster.kifarunix-demo.com:636\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWord\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/ssl\/certs\/cacert.crt\nldap_tls_cacertdir = \/etc\/ssl\/certs\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\n<\/code><\/pre>\n\n\n\n<p>Copy the CA certificate from the LDAP server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts &lt; \/dev\/null | openssl x509 -text<\/code><\/pre>\n\n\n\n<p>Store it on the specified file above, <code>\/etc\/ssl\/certs\/ldapcert.crt<\/code>. You can use a different file if you like.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ssl\/certs\/cacert.crt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>-----BEGIN CERTIFICATE-----\nMIID0TCCArmgAwIBAgIUQnXoL0eVw1STAXFBjKwNobOMtJ8wDQYJKoZIhvcNAQEL\nBQAweDELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxEDAOBgNVBAcMB05h\n....\n...\nFG4\/H6F0CAD\/ksl4w8aEP0JrdZsDxwmGv8GoM6fVI\/3qcv2pD\/+Fjif0GRcb7V6g\nNsyGrEWBFOD+IrMDIm7KvTBEBJbc\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n<p>Open the&nbsp;<code>\/etc\/ldap\/ldap.conf<\/code>&nbsp;and set the location of the CA certificate file copied from the OpenLDAP server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n# TLS certificates (needed for GnuTLS)\n#TLS_CACERT     \/etc\/ssl\/certs\/ca-certificates.crt\n<strong>TLS_CACERT       \/etc\/ssl\/certs\/cacert.crt<\/strong><\/code><\/pre>\n\n\n\n<p>Define the LDAP SUDOers search base.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"sudoers_base ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\" &gt;&gt; \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n<p>Set the read\/write access to&nbsp;<code>\/etc\/sssd\/<\/code>&nbsp;for the owner (root).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chmod 600 -R \/etc\/sssd<\/code><\/pre>\n\n\n\n<p>Restart SSSD service<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart sssd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enable-auto-create-users-home-directory\">Enable Auto Create User's Home Directory<\/h3>\n\n\n\n<p>Configure&nbsp;<a rel=\"noreferrer noopener\" href=\"http:\/\/www.linux-pam.org\/Linux-PAM-html\/sag-pam_mkhomedir.html\" target=\"_blank\">Pluggable Authentication Module (PAM)<\/a>&nbsp;to automatically create user\u2019s home directory on first login.<\/p>\n\n\n\n<p>This can be achieved by editing the&nbsp;<code>\/etc\/pam.d\/common-session<\/code>&nbsp;configuration file as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/pam.d\/common-session<\/code><\/pre>\n\n\n\n<p>Add the line below just after the line,&nbsp;<code>session optional pam_sss.so<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>session required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n# since the modules above will each just jump around\nsession required pam_permit.so\n# and here are more per-package modules (the \"Additional\" block)\nsession required pam_unix.so \nsession optional pam_sss.so \n<strong>session required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/strong>\nsession optional pam_systemd.so \n# end of pam-auth-update config<\/code><\/pre>\n\n\n\n<p>Save and quit the configuration.<\/p>\n\n\n\n<p>Also, ensure that <code>\/etc\/nsswitch.conf <\/code>has this line;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudoers:        files sss<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"assigning-user-sudo-rights-on-specific-host\">Assigning User SUDO rights on Specific Host<\/h3>\n\n\n\n<p>It is also possible to assign a user sudo rights on a specific host. For example, if I have a user called <code>johndoe<\/code> in my OpenLDAP database and I want this user to only run commands with sudo on the host, <code>john.kifarunix-demo.com<\/code>, then I would create an entry like below in my OpenLDAP server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: cn=john,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\ncn: john\nobjectclass: top\nobjectclass: sudoRole\nsudocommand: ALL\nsudohost: john.kifarunix-demo.com\nsudorunasuser: ALL\nsudouser: johndoe<\/code><\/pre>\n\n\n\n<p>If this user authenticates to a system whose hostname is john.kifarunix-demo.com, then he can execute any command with sudo, otherwise, they cannot have sudo rights on any other system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-open-ldap-authentication-on-ubuntu-18-04\">Testing OpenLDAP Authentication on Ubuntu 18.04<\/h3>\n\n\n\n<p>To confirm that you can now login to your system via an LDAP user using SSSD, simply run local ssh authentication using your OpenLDAP user. Check how to add users on our guide of setting up OpenLDAP provided above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh janedoe@localhost<\/code><\/pre>\n\n\n\n<p>As you login, note the line, <strong>Creating directory '\/home\/janedoe'<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>janedoe@localhost's password: \n<strong>Creating directory '\/home\/janedoe'<\/strong>.\nWelcome to Ubuntu 18.04 LTS (GNU\/Linux 4.15.0-20-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\nLast login: Sun Dec  8 11:52:56 2019 from ::1\njanedoe@ubuntu18:~$<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>pwd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/home\/janedoe<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>id<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-sudo-privileges\">Verify SUDO Privileges<\/h3>\n\n\n\n<p>You can now try to run various commands with sudo to confirm that you actually have the sudo rights provided by OpenLDAP.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo su -<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>janedoe@ubuntu18:~$ sudo su -\n [sudo] password for janedoe: \n root@ubuntu18:~#<\/code><\/pre>\n\n\n\n<p>Now, login again as user with no sudo rights given.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh johndoe@localhost<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>johndoe@ubuntu18:~$ sudo su -\n[sudo] password for johndoe: \njohndoe is not allowed to run sudo on ubuntu18.  This incident will be reported.\njohndoe@ubuntu18:~$<\/code><\/pre>\n\n\n\n<p>Verifying host based sudo rights<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh -l johndoe 192.168.56.160<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>johndoe@192.168.56.160's password: \nCreating directory '\/home\/johndoe'.\n...\n...\nLast login: Tue Jan 21 16:50:58 2020 from 127.0.0.1\njohndoe@jane:~$ hostname\n<strong>jane.kifarunix-demo.com<\/strong><\/code><\/pre>\n\n\n\n<p>Note the hostname of the system above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>johndoe@jane:~$ sudo su -\n[sudo] password for johndoe: \n<strong>johndoe is not allowed to run sudo on jane.  This incident will be <\/strong>reported.<\/code><\/pre>\n\n\n\n<p>Login as administrative user and change the hostname to <code><strong>john.kifarunix-demo.com<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>johndoe@john:~$ hostname\njohn.kifarunix-demo.com\njohndoe@john:~$ sudo su -\n[sudo] password for johndoe: \nroot@john:~#<\/code><\/pre>\n\n\n\n<p>Hurray!! You have successfully configured OpenLDAP server to provide SUDO. Say goodbye to having to assign sudo rights to users on a local system. That brings us to the end of our guide.<\/p>\n\n\n\n<p>Reference:<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.sudo.ws\/man\/1.8.17\/sudoers.ldap.man.html\" target=\"_blank\">sudoers ldap manual pages<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-create-openldap-member-groups\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/add-freeipa-user-accounts-via-cli-or-web-interface\/\" target=\"_blank\">Add FreeIPA User Accounts via CLI or Web Interface<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-freeipa-server-on-centos-8\/\" target=\"_blank\">Install and Setup FreeIPA Server on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-install-freeipa-server-on-fedora-29-fedora-28-centos7\/\" target=\"_blank\">How to Install FreeIPA Server on Fedora 29\/Fedora 28\/CentOS 7<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/run-only-specific-commands-with-sudo-in-linux\/\" target=\"_blank\">Run only Specific Commands with sudo in Linux<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-add-users-to-sudo-group-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">How to Add Users to sudo group in Linux<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Well, in this guide, we are going to demonstrate how to configure SUDO via OpenLDAP Server. Apart from being able to provide sudo rights on<\/p>\n","protected":false},"author":1,"featured_media":14089,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1142,6368,1831,6365,1830,6367,286,1217,1218,1131,1124],"class_list":["post-4750","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-centos-8","tag-configure-sudo-on-openldap","tag-configure-sudo-via-ldap","tag-install-libsss-sudo","tag-ldap-sudo-nopasswd","tag-libsss_sudo","tag-openldap","tag-openldap-sudo","tag-provide-sudo-over-ldap","tag-sssd","tag-sudo","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4750"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4750"}],"version-history":[{"count":29,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4750\/revisions"}],"predecessor-version":[{"id":21287,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4750\/revisions\/21287"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/14089"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}