Instantly share code, notes, and snippets.

What would you like to do?
# uname -a
Linux base 4.0.5-gentoo #1 SMP Wed Jul 1 02:23:16 JST 2015 x86_64 Intel(R) Xeon(R) CPU E5-2640 0 @ 2.50GHz GenuineIntel GNU/Linux


# emerge -pvq openldap openssh sssd sudo
[ebuild   R   ] net-nds/openldap-2.4.38-r2  USE="berkdb crypt gnutls ipv6 minimal sasl ssl syslog tcpd -cxx -debug -experimental -icu -iodbc -kerberos -odbc -overlays -perl -samba (-selinux) -slp -smbkrb5passwd" ABI_X86="(64) -32 (-x32)" 
[ebuild   R   ] net-misc/openssh-6.9_p1-r2  USE="hpn pam pie ssl -X -X509 -bindist -debug -kerberos -ldap -ldns -libedit -sctp (-selinux) -skey -ssh1 -static" 
[ebuild   R   ] sys-auth/sssd-1.12.4  USE="manpages nls ssh sudo -acl -augeas -autofs -locator -netlink -nfsv4 -python -samba (-selinux) {-test}" ABI_X86="(64) -32 (-x32)" PYTHON_SINGLE_TARGET="python2_7 -python3_3 -python3_4" PYTHON_TARGETS="python2_7 python3_3 -python3_4" 
[ebuild   R   ] app-admin/sudo-1.8.12  USE="ldap nls pam sendmail -offensive (-selinux) -skey" 

LDAP Client configuration

# grep -vE '^\s*($|#)' /etc/openldap/ldap.conf
BASE dc=example,dc=co,dc=jp
URI ldap:// ldap://
tls_reqcert naver
sudoers_base ou=SUDOers,dc=example,dc=co,dc=jp
nss_initgroups backlink
binddn cn=Authenticator,dc=example,dc=co,dc=jp
bindpw P@ssw0rd!
# ls -l /etc/openldap/ldap.conf /etc/ldap.conf.sudo
lrwxrwxrwx 1 root root  18 Jul 19 16:35 /etc/ldap.conf.sudo -> openldap/ldap.conf
-rw-r--r-- 1 root root 250 Jul 19 16:36 /etc/openldap/ldap.conf

SSS Configuration

# grep -vE '^\s*($|#)' /etc/sssd/sssd.conf
config_file_version = 2
services = nss,pam,sudo,ssh
domains = mvrck
debug_level = 1
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
subdomain_enumerate = true
debug_level = 9
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_search_base = dc=example,dc=co,dc=jp
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=co,dc=jp
ldap_tls_reqcert = never
ldap_uri = ldap://
ldap_schema = rfc2307
debug_level = 1
enumerate = true
ldap_default_bind_dn = cn=Authenticator,dc=example,dc=co,dc=jp
ldap_default_authtok = P@ssw0rd!
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=Group,dc=example,dc=co,dc=jp
ldap_group_name = cn
ldap_group_member = memberUid
ldap_id_use_start_tls = false
chpass_provider = ldap
cache_credentials = true

Name Service Switch configuration

# grep -vE '^\s*($|#)' /etc/nsswitch.conf
passwd:      compat sss
shadow:      compat sss
group:       compat sss
hosts:       files dns
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:   files
aliases:     files
sudoers:     files ldap sss

PAM configuration

# grep -vE '^\s*($|#)' /etc/pam.d/system-auth
auth            required 
auth            sufficient try_first_pass likeauth nullok 
auth            sufficient use_first_pass
auth            optional
account required 
account [default=bad success=ok user_unknown=ignore]  
account optional
password        required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password        sufficient try_first_pass use_authtok nullok sha512 shadow 
password        sufficient use_authtok
password        optional
session         required 
session         required 
session         required 
session         optional skel=/etc/skel/ umask=0077
session         optional
session         optional

OpenSSH configuration

# grep -vE '^\s*($|#)' /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
UsePrivilegeSeparation sandbox          # Default for new installations.
Subsystem       sftp    /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_*

This comment has been minimized.

Copy link

saqib-ali commented Aug 24, 2016

Any recommendations for a GUI to manager Sudoers rules in LDAP or AD?


This comment has been minimized.

Copy link

diboanches commented Mar 28, 2017

Red Hat Identity Management
or free version FreeIPA


This comment has been minimized.

Copy link

KroniK907 commented May 4, 2017

FusionDirectory is a great tool for managing an openLDAP system in general. It includes a plugin for managing Sudo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment