Skip to main content

OpenLDAP for sudo configuration and rights

·3 mins
Security DevOPS
Table of Contents

We covered SSH Authentication and Linux user management using OpenLDAP in an article, now wouldn’t it be great if you could also manage sudo rules from a central place like an LDAP server? Luckily, sudo has support for this! This article will show you how to set this up within OpenLDAP and the sudo configuration on your Linux machine.

There is an assumption the LDAP client is already setup on this machine, if you haven’t done that yet, see the previous blog post linked above!

LDAP changes #

Import the sudo schema into your OpenLDAP configuration on the cn=schema,cn=config

dn: cn=sudo,cn=schema,cn=config
objectClass: olcConfig
objectClass: olcSchemaConfig
objectClass: top
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s
 ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring
 sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s
 ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring
 sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com
 mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
 .1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(
 s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti
 ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466
 .115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U
 ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.
 1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC '
 Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S
 tart of time interval for which the entry is valid' EQUALITY generalizedTim
 eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12
 1.1.24 )
olcAttributeTypes: {8} ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'E
 nd of time interval for which the entry is valid' EQUALITY generalizedTimeM
 atch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.24 )
olcAttributeTypes: {9} ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an 
 integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integ
 erOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUC
 TURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCom
 mand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBef
 ore $ sudoNotAfter $ sudoOrder $ description ) )

Now create a new Organizational unit (OU), for example:

dn: ou=sudoers,dc=example,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit

Then in your /etc/ldap/ldap.conf & /etc/libnss-ldap.conf files, add the following line:

sudoers_base ou=sudoers,dc=example,dc=com

Finally in your /etc/nsswitch.conf edit sudoers line to the following:

sudoers : files ldap

Creating defaults #

You can setup defaults for the sudoers file like this:

dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's for all servers
sudoOption: env_keep+=SSH_AUTH_SOCK 
sudoOption: insults

Creating rights #

For user rights, you can now create the following object:

dn: cn=techwolf12,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: techwolf12
sudoUser: techwolf12
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL

For group rights, you can do the same. Make sure the group exists in LDAP or locally, and be sure to prefix it with a %:

dn: cn=%admin,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL

You can also specify hostnames, specific commands or users this user/group is allowed to impersonate or negate the ALL by using an exclamation mark before the command. Another important thing to note, since LDAP objects have no order, if you want specific rules to take precedence you have to use the sudoOrder attribute, a higher number is more important:

dn: cn=byte,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: byte
sudoUser: byte
sudoHost: lycan
sudoRunAs: techwolf12
sudoCommand: ALL
sudoCommand: !/bin/bash
sudoOrder: 1