--- /dev/null
+This file explains how to use the optional LDAP functionality of SUDO to
+store /etc/sudoers information. This feature is separate from LDAP passwords.
+
+LDAP philosophy
+===============
+As times change and servers become cheap, an enterprise can easily have 500+
+UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and
+others across an enterprise can greatly reduce the administrative overhead.
+
+Sudo in the past has only used a single local configuration file /etc/sudoers.
+Some have attempted to workaround this by synchronizing changes via
+RCS/CVS/RSYNC/RDIST/RCP/SCP and even NFS. Many have asked for a Hesiod, NIS,
+or LDAP patch for sudo, so here is my attempt at LDAP'izing sudo.
+
+Definitions
+===========
+Many times the word 'Directory' is used in the document to refer to the LDAP
+server, structure and contents.
+
+Many times 'options' are used in this document to refer to sudoer 'defaults'.
+They are on in the same.
+
+Design Features
+===============
+
+ * Sudo no longer needs to read all sudoers. Parsing of /etc/sudoers requires
+ the entire file to be read. The LDAP feature of sudo uses two
+ (sometimes three) LDAP queries per invocation. It never reads the
+ all the sudoer entries in the LDAP store. This makes it
+ especially fast and particularly usable in LDAP environments.
+ The first query is to parse default options (see below). The second
+ is to match against the username or groups a user belongs to.
+ (The special ALL tag is matched in this query too.)
+ If not match is against the username, the third query pulls the entries
+ that match against user netgroups to compare back to the user.
+
+ * Sudo no longer blows up if there is a typo. Parsing of /etc/sudoers can
+ still blow up when sudo is invoked. However when using the LDAP feature
+ of sudo, LDAP syntax rules are applied before the data is uploaded into
+ the LDAP server, so proper syntax is always guaranteed!
+ One can of course still insert a bogus hostname or username,
+ but sudo will not care.
+
+ * Options inside of entries now override global default options.
+ /etc/sudoers allowed for only default options and limited options
+ associated with user/host/command aliases. The syntax can be difficult
+ for the newbie. The LDAP feature attempts to simplify this and yet
+ still provide maximum flexibility.
+
+ Sudo first looks for an entry called 'cn=default' in the SUDOers
+ container. If found, the multi-valued sudoOption attribute is parsed
+ the same way the global 'Defaults' line in /etc/sudoers is parsed.
+
+ If on the second or third query, a response containing a sudoRole
+ which matches against the user, host, and command, then the matched
+ object is scanned for a additional options to override the top-level
+ defaults. See the Example LDAP content below for more information.
+
+ * Visudo is no longer needed. Visudo provides locking and syntax checking
+ against the /etc/sudoers file. Since LDAP updates are atomic, locking
+ is no longer necessary. Because syntax is checked when the data is
+ inserted into LDAP, the sudoers syntax check becomes unnecessary.
+
+ * Aliases are no longer needed. User, Host, and Command Aliases were setup
+ to allow simplification and readability of the sudoers files. Since the
+ LDAP sudoer entry allows multiple values for each of its attributes and
+ since most LDAP browsers are graphical and easy to work with, original
+ aliases are no longer needed.
+
+ If you want to specify lots of users into an entry or want to have
+ similar entries with identical users, then use either groups or user
+ netgroups. Thats what groups and netgroups are for and Sudo handles
+ this well. Or just paste them all into the LDAP record.
+
+ If you want to specify lots of hosts into an entry, use netgroups or
+ IP address matches (10.2.3.4/255.255.0.0). Thats what netgroups are
+ for and Sudo handles this well. Or just past them all into the LDAP
+ record.
+
+ If you want to specify lots of commands, use directories or wildcards,
+ or just paste them all into LDAP. That's what it's for.
+
+ * The /etc/sudoers file can be disabled. Paranoid security administrators
+ can now disallow parsing of any local /etc/sudoers file by an LDAP
+ sudoOption '!local_sudoers'. This way all sudoers can be controlled
+ and audited in one place because local entries are not allowed.
+ In the future, this file may not be present.
+ BUG: THIS OPTION IS NOT IMPLEMENTED YET.
+
+ * The sudo binary compiled with LDAP support should be totally
+ backward compatible and be syntactically and source code equivalent
+ to its non LDAP-enabled build.
+
+
+Build instructions
+==================
+The most simplest way to build sudo with LDAP support is to include the
+'--with-ldap' option. I recommend including the '--with-pam' option on those
+system with PAM so that if you decide to use LDAP for authentication, you won't
+need to recompile sudo.
+
+ $ ./configure --with-ldap --with-pam
+
+If your ldap libraries and headers are in a non standard place, you will need
+to specify them at configure time.
+
+ $ CPPFLAGS="-I/usr/local/ldapsdk/include" \
+ > LDFLAGS="-L/usr/local/ldapsdk/lib" \
+ > ./configure --with-ldap --with-pam
+
+In early revs of sudo where the '--with-ldap' option is not available, you
+need to manually append '#define HAVE_LDAP 1' to config.h and set
+LIBS='-lldap' in Makefile.
+
+Sudo by default builds against OpenLDAP's libraries. For others LDAP
+libraries such as Netscape, iPlanet, Mozilla, SecureWay, add these lines
+to config.h before running make:
+
+ #undef HAVE_LDAP_INITIALIZE
+ #define HAVE_LBER_H
+
+You might have to also include '-llber' or '-lldif' in your LIBS.
+
+Your Mileage may vary. Please let Aaron Spangler <aaron@spangler.ods.org>
+know what combinations worked best for your OS & LDAP Combinations so
+we can improve sudo.
+
+Schema Changes
+==============
+Add the following schema to your LDAP server so that it may contain sudoer
+content. In OpenLDAP, simply place this into a new file and 'include' it
+in your slapd.conf and restart slapd. For other LDAP servers, provide this
+to your LDAP Administrator. Make sure to index the attribute 'sudoUser'.
+
+
+ #
+ # schema file for sudo
+ #
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $
+ description )
+ )
+
+
+Importing /etc/sudoers to LDAP
+==============================
+Importing is a two step process.
+
+Step 1:
+Ask your LDAP Administrator where to create the ou=SUDOers container.
+(An example location is shown below). Then use the provided script to convert
+your sudoers file into LDIF format. The script will also convert any default
+options.
+
+ # SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
+ # export SUDOERS_BASE
+ # ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
+
+Step 2:
+Import into your directory server. If you are using OpenLDAP, do the following
+if you are using another directory, provide the LDIF file to your LDAP
+Administrator. An example is shown below.
+
+ # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
+ > -D cn=Manager,dc=example,dc=com -W -x
+
+Example sudoers Entries in LDAP
+===============================
+The equivalent of a sudoer in LDAP is a 'sudoRole'. It contains sudoUser(s),
+sudoHost, sudoCommand and optional sudoOption(s) and sudoRunAs(s).
+<put an example here>
+
+Managing LDAP entries
+=====================
+Doing a one-time bulk load of your ldap entries is fine. However what if you
+need to make minor changes on a daily basis? It doesn't make sense to delete
+and re-add objects. (You can, but this is tedious).
+
+I recommend using any of the following LDAP browsers to administer your SUDOers.
+ * GQ - The gentleman's LDAP client - Open Source - I use this a lot on
+ Linux and since it is Schema aware, I don't need to create a sudoRole
+ template.
+ http://biot.com/gq/
+
+ * LDAP Browser/Editor - by Jarek Gawor - I use this a lot on Windows
+ and Solaris. It runs anywhere in a Java Virtual Machine including
+ web pages. You have to make a template from an existing sudoRole entry.
+ http://www.iit.edu/~gawojar/ldap
+ http://www.mcs.anl.gov/~gawor/ldap
+ http://ldapmanager.com
+
+ There are dozens of others, some open source, some free, some not.
+
+
+Configure your /etc/ldap.conf
+=============================
+The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
+and other ldap applications and modules. IBM Secureway unfortunately uses
+the same filename but has a different syntax. If you need to rename where
+this file is stored, recompile SUDO with the -DLDAP_CONFIG compile option.
+
+Make sure you sudoers_base matches exactly with the location you specified
+when you imported the sudoers. Below is an example /etc/ldap.conf
+
+ # Either specify a uri or host & port
+ #host ldapserver
+ #port 389
+ uri ldap://ldapserver
+ #
+ # must be set or sudo will ignore LDAP
+ sudoers_base ou=SUDOers,dc=example,dc=com
+ #
+ # verbose sudoers matching from ldap
+ #sudoers_debug 2
+ #
+ # optional proxy credentials
+ #binddn <who to search as>
+ #bindpw <password>
+ #
+ # LDAP Protocol Version defaults to 3
+ #ldap_version 3
+ #
+
+Debugging your LDAP configuration
+=================================
+Enable debugging if you think sudo is not parsing LDAP the way you think it
+it should. A value of 1 shows moderate debugging. A value of 2 shows the
+results of the matches themselves. Make sure to set the value back to zero
+so that other users don't get confused by the debugging messages. This value
+is 'sudoers_debug' in the /etc/ldap.conf.
+
+Configure your /etc/nsswitch.conf
+=================================
+At the time of this writing, sudo does not consult nsswitch.conf for the
+search order. But if it did, it would look like this:
+This might be implemented in the future. For now just skip this step.
+
+ sudoers: files ldap
+
projects / sudo / commitdiff