LDAP integration for sudo users

Outline

Let’s assume you have an OpenLDAP server installed for easily creating your groups, keeping your users organised and assigning specific permissions to users in certain groups. The server just runs fine, all your groups are easily maintained, users are created for all your software instances by conducting a few configuration tasks.

Now and then companies grow or see a change in the administrative structure. The admin user base grows, some admins are appointed to handle tasks related to infrastructure, some other admins are appointed to care about specific server side applications. Some companies might have even to deal with fluctuation in staff, so in any case – users need to be created and have permissions assigned in order to fulfil their tasks.

Now for that given structure, admin users need an LDAP account for being part of the company’s communication infrastructure (mail, instant messaging, folder permissions), but on the other hand need to be part of the sudo group, as lots of applications need root access for changing their basic setup or handling configuration tasks.

The Problem

This means: You need to create LDAP user accounts for daily tasks and system user accounts for conducting admin tasks, thus resulting in redundant user data, messed up folder structure and simply a non-consistent layout of the company’s data management. Of course, keeping admin tasks separated from daily tasks by applying separate roles to one single user seems to be a viable concept, but what if you just don’t want to care about permissions, roles and stuff – let’s just assume you want to keep your workflow simple. Apart from that, it does not make sense to simply create a user with the same credentials in either the LDAP and the UNIX realm, as you need to take care not to mess up home directories. This again does not solve the problem of adding LDAP users to specific groups which sometimes need to conduct tasks in system folders – think of www-data here.

The Solution

Let’s give users of the server’s LDAP structure the privilege to use sudo! First of all, a couple of definitions for the rest of this post.

Disclaimer and Big Warning: Read this guide carefully. Read the docs. Read the man pages. Read everything again. Fire up a Virtual Machine and try it in a testing environment first. You don’t want to hurry through the process, as you can wreak havoc big time / destroy everything / release the kraken / cause nausea and heart attack if you do not take care. In other words: Kids, don’t try this at home.

Intended LDAP structure for the demo environment

dc =Domain Component, cn = Common Name, ou = organizational Unit
Together these components form the dn = Distinguished Name (unique throughout the structure).

LDAP structure

+dc=testlab,dc=dev
|—cn=admin
|
|—+ou=Groups
|  |—cn=mySudoGroup
|
|—+ou=Sudoers
|  |—cn=%admin
|  |—cn=%sudo
|  |—cn=%mySudoGroup
|  |—cn=defaults
|  |—cn=root
|
|—+ou=Users
   |—uid=mySudoUser

So there are three Organizational Units serving as ‘containers’ for other ‘objects’. The admin user is to be defined in the configuration of the LDAP structure, more specifically in rootbinddn.

Groups: mapping of UNIX-groups in the system, container for LDAP groups
Sudoers: equivalent mapping of /etc/sudoers by applying the sudoRole
Users: LDAP user – actual members of the LDAP groups

Hint: If groups and users already exist, just the Sudoers need to be added to the directory.

1. Preparation

For the demo setup we used the domain ubuser.testlab.dev, LDAP thus comprises of the following domain component: dc=testlab,dc=dev
Now for the most important part: LDAP needs to know the hostname of the server.

/etc/hosts

127.0.0.1       ubuser
192.168.254.56  ubuser.testlab.dev ubuser

If there’s an existing DNS, you should lookup the DNS entries of course. Let’s install OpenLDAP, sudo-ldap and phpldapadmin.

[email protected]

apt-get -y install slapd ldap-utils sudo-ldap phpldapadmin

The config directory is /etc/conf/slap.d, containing two important database files:

  • config.ldif (olcDatabase={0}config.ldif)
  • hdb.ldif (olcDatabase={1}hdb.ldif)

2. Configure OpenLDAP

[email protected]

sudo dpkg-reconfigure slapd

Domain name: as in /etc/hosts or on the DNS server
Database: HDB
Password to be used for cn=admin,dc=testlab,dc=dev   #for this demo: 'test'

Next we have to add schemes to the directory. Schemes represent classes (in a vague explanation) for creating directory objects.
schemes

# these 4 already exist, so we'll meet the error 'duplicate entry'
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

# add additional classes
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/openldap.ldif

Now we check the configuration to be correct:

[email protected]

sudo cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
sudo cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif

3. Creating Organizational Units

Now we load OUs to the directory. For the purpose of validating we can make use of phpldapadmin from now on.

[email protected]

mkdir ~/ldapdata
nano ~/ldapdata/add_ous.ldif

*Content of add_ous.ldif*
dn: ou=Groups,dc=testlab,dc=dev
objectClass: top
objectClass: organizationalUnit
ou: Groups

dn: ou=Users,dc=testlab,dc=dev
objectClass: top
objectClass: organizationalUnit
ou: Users

dn: ou=Sudoers,dc=testlab,dc=dev
objectClass: top
objectClass: organizationalUnit
ou: Sudoers

Now we add the data specified above to the directory by using:

add_ous.ldif

ldapadd -f ~/ldapdata/add_ous.ldif -x -D "cn=admin,dc=testlab,dc=dev" -W

4. Add data

Here we add the user and group data for authenticating users and handing over sudo privileges to them.
[email protected]

nano ~/ldapdata/add_data.ldif

add_ous.ldif

dn: cn=mySudoGroup,ou=Groups,dc=testlab,dc=dev #cn=mySudoGroup
objectClass: top
objectClass: posixGroup
cn: mySudoGroup
gidNumber: 10000 #add this entry

dn: uid=mySudoUser,ou=Users,dc=testlab,dc=dev
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mySudoUser
sn: McSurname
givenName: Sudora
cn: Sudora McSurname
displayName: Sudora McSurname
uidNumber: 10000
gidNumber: 10000 #add this entry
userPassword: sudora12
gecos: Sudora McSurname
loginShell: /bin/bash
homeDirectory: /profiles/sudora
mail: [email protected]
telephoneNumber: 555-2368
st: AT
manager: uid=mySudoUser,ou=Users,dc=testlab,dc=dev
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
title: Testuser

Then add the user data to the directory

[email protected]

ldapadd -f ~/ldapdata/add_data.ldif -x -D "cn=admin,dc=testlab,dc=dev" -W

5. Grant sudo privileges to users

We’ve already installed sudo-ldap in the beginning. This tool provides a new scheme which is being copied to the scheme-directory.

[email protected]

sudo cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema

We convert the scheme to an ldif-file:

[email protected]

sudo echo "include /etc/ldap/schema/sudo.schema" > ~/ldapdata/sudoSchema.conf

slapcat -f ~/ldapdata/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/ldapdata/cn\=sudo.ldif
nano ~/ldapdata/cn\=sudo.ldif

The header of the file must look like this now. If it doesn’t, remove {0}.

sudo.ldif

dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo

You must remove the following lines from the end of the file, otherwise the existing database will be corrupted.

sudo.ldif

structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z

You read the disclaimer, right? You did not hurry, but took your time and carefully removed the lines above, right? If not, please let me introduce you to my dear old friend Kefka.

Now we apply the sudo scheme:
[email protected]

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/ldapdata/cn\=sudo.ldif
sudo service slapd restart

Next we can load the ‘old’ sudo users to our directory:

[email protected]

sudo -i
SUDOERS_BASE=ou=Sudoers,dc=testlab,dc=dev
export SUDOERS_BASE
perl /usr/share/doc/sudo-ldap/sudoers2ldif /etc/sudoers >> ~/sudoMaster.ldif
exit
sudo mv /root/sudoMaster.ldif ~/ldapdata/sudoMaster.ldif
ldapadd -f ~/ldapdata/sudoMaster.ldif -D "cn=admin,dc=testlab,dc=dev" -W -x

After that we can add our own containers, which do not necessarily need to be associated with the new ones. In this case a mySudoContainer will be created, which will be linked to an LDAP-group.

[email protected]

sudo nano ldapdata/sudoMyGroup.ldif

sudoMyGroup.ldif

dn: cn=%sudoMyGroup,ou=Sudoers,dc=testlab,dc=dev # cn=%sudoMyGroup
objectClass: top
objectClass: sudoRole
cn: %sudoMyGroup # mind this line
sudoUser: %sudoMyGroup # mind this line
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 5

Important: This file is the equivalent to the sudoers-entries in /etc/sudoers. Therefore sudoUser: has to have the same name as the group created above (see “4. Add data”), if LDAP should care about user authentication.

[email protected]

ldapadd -f ~/ldapdata/sudoMaster.ldif -D "cn=admin,dc=testlab,dc=dev" -W -x

Create indices: We need to create indices for our user in order to make a database lookup possible.

indices.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sudoUser eq,sub
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn eq

After this step we can modify the configuration by:
[email protected]

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f indices.ldif

6. Authentication for clients via LDAP

As we are ready server side, we can now turn our clients to smart ones capable of authenticating against LDAP, letting them know there’s a server providing us with authentication data. This is going to happen via PAM and via Name Service Switch (nsswitch). In order to authenicate against LDAP, we need to install a few packages

[email protected]

sudo apt-get install ldap-auth-client nscd

At first we create and configure /etc/ldap.conf:

host 127.0.0.1
base dc=testlab,dc=dev
uri ldap://127.0.0.1/
rootbinddn cn=admin,dc=testlab,dc=dev
ldap_version 3
bind_policy soft
nss_base_passwd         ou=Users,dc=testlab,dc=dev?one
nss_base_shadow         ou=Users,dc=testlab,dc=dev?one
nss_base_group          ou=Groups,dc=testlab,dc=dev?one
sudoers_base ou=Sudoers,dc=testlab,dc=dev
pam_password md5

We create a symlink in order to avoid trouble concerning backwards compatibility (especially for nss):

[email protected]

sudo ln -s /etc/ldap.conf /etc/ldap/ldap.conf

Next we configure our nsswitch.conf:

[email protected]

sudo auth-client-config -t nss -p lac_ldap

The order of the entries “files” and “ldap” is of high importance, so we need to take care. The option “Sudoers” has to be added, so the lookup order goes “local users” first and then “LDAP users”.

/etc/nsswitch.conf

passwd: files ldap
group:  files ldap
shadow: files ldap
hosts:  files dns ldap
networks: files ldap
netgroup: nis
sudoers: ldap files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

PAM

After nsswitch.conf is done, we focus on setting up the PAM environment. Optionally, we can create local home-dirs. Let’s create the config file for PAM:

[email protected]

nano /usr/share/pam-configs/mkhomedir

/usr/share/pam-configs/mkhomedir

Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel

Then we are able to configure PAM properly:

[email protected]

sudo pam-auth-update

Make sure to at least check the following options:

pam-auth-update

] Unix Authentication
[
LDAP Authentication
[*] activate mkdhomedir

Whenever a new user is created via LDAP, then the directory for authenticating against LDAP is being created as well.

7. Generating dumps of the LDAP configuration

cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif

[email protected]

# output
# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC32 ad778726
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=testlab,dc=dev
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=testlab,dc=dev" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=testlab,dc=dev" write by *
  read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=testlab,dc=dev
olcRootPW:: e1NTSEF9TEZDZzYzUW9JeEdBM0xWYlhRQkd6eGVmSzNTSTVIMnk=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: sudoUser eq,sub
olcDbIndex: cn eq
structuralObjectClass: olcHdbConfig
entryUUID: df30cc88-5f76-1033-9603-1365e0375bee
creatorsName: cn=config
createTimestamp: 20140423210624Z
entryCSN: 20140424002650.397541Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140424002650Z

[email protected]

cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif

# output
# AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify.
# CRC32 7d56d2a8
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: df302cd8-5f76-1033-95fb-1365e0375bee
creatorsName: cn=config
createTimestamp: 20140423210624Z
entryCSN: 20140423210624.249945Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140423210624Z

Conclusion

So, now we can finally be admins and users at once. We do not have to change accounts when entering directories or if we want to modify files. This is neat. If you want to go in-depth concerning your LDAP directories, we highly recommend taking a look at shelldap, you can find the Ubuntu documentation here.

This tutorial was created by our fellow developer webDAVe. Do you feel there’s anything missing? Have you released the kraken? If you have any questions, feel free to comment either here or on our Google+ page!

Christopher Semmler's picture

Christopher Semmler

Christopher Semmler is our CEO and works in our IT and Finance Division. Apart from Business Development he makes technology decisions, works on platforms and Digital Marketing. He holds a Magister degree in Corporate Finance and Information Systems, loves to play with new tech and is specialised in the low level area.

Comments

  1. Sven's picture
    Sven (not verified)

    Great post- will study this carefully.

  1. Radit's picture
    Radit (not verified)

    i've got error when trying add this command ldapadd -f ~/ldapdata/add_data.ldif -x -D "cn=admin,dc=testlab,dc=dev" -W ldap_add: Invalid syntax (21) additional info: gidNumber: value #0 invalid per syntax

  1. Saqib Ali's picture
    Saqib Ali (not verified)

    Are there any GUI based apps for managing Sudoer Rules in LDAP? Using a LDAP Browser is not a very user-friendly way for managing a large number of Sudo Rules. FreeIPA has a UI for managing Sudoer Rules, but it requires 389 Directory Server, and we don't use that in our environment (for good reasons)

  1. Kelly Dillon's picture
    Kelly Dillon (not verified)

    As an expert Web report arrangement, RAQ Report gives coordination as Jar bundle to software engineers. Buy Custom Essay Online. Without autonomous report server, application framework, and free administration system of client authorizations, it can help software engineers to actualize reconciliation advantageously.

  1. MartinSteven's picture
    MartinSteven (not verified)

    When turning upward a sudoer utilizing LDAP there are just a few LDAP inquiries for every summon. The main inquiry is to parse the worldwide choices. The second is to coordinate against the user's name and the gatherings that the client has a place with. The exceptional ALL tag is coordinated in this inquiry as well assignment service. In the event that no match is returned for the user's name and gatherings, a third inquiry gives back all sections containing client net groups and other non-Unix gatherings and verifies whether the user has a place with any of them.

  1. Kate Marten's picture
    Kate Marten (not verified)

    If no match is returned for the client's name and social occasions, a third request gives back all areas containing customer net gatherings and other non-Unix get-togethers and confirms whether the client has a place with any of them.nursing assignment writing service Thanks for shearing this amazing post with us I would love to come gain to this website soon.

  1. James Cameron's picture
    James Cameron (not verified)

    Keeping manager errands remote from day by day activities by applying divide parts to one solitary client is by all accounts a feasible idea. Read more at essay writing company - Buyassignment.com

  1. DanielNorman's picture
    DanielNorman (not verified)

    This is an exceptionally instructive article of Do My Essay For Me. I additionally concur with your post title and your truly well clarify your perspective. I am exceptionally glad to see this post. Keep it up and share the all the more most related post.

  1. wondergirl's picture
    wondergirl (not verified)

    Don't worry because nothing is coming on the screen. It's like that. Just type your password and press enter. sudo password is the root password of Ubuntu. help with assignment writing . If you have installed Ubuntu yourself then you might have typed a password during installation.

  1. Mary Thompson's picture
    Mary Thompson (not verified)

    This is an incredibly enlightening article of SG220-50P-K9-NA. I moreover agree with your post title and your really well illuminate your point of view. I am particularly happy to see this post. Keep it up and share the more most related post.

  1. Aaron William's picture
    Aaron William (not verified)

    One route for chairmen to deal with that for substantial conditions is to store the sudo setup in a focal LDAP catalog, and simply design every nearby framework to indicate that LDAP registry. Assignment service That implies that updates just should be made in a solitary area, and any new standards are naturally perceived by neighborhood frameworks

Add comment