Not to digress too much off topic here, but I'm not sure about your comment
on using groups- we've organized privileges into entry's like this:
cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com
sudoHost:
sasapp*.prod.foo.com
objectClass: sudoRole
objectClass: top
sudoCommand: /bin/su sas
sudoCommand: /bin/su - sas
sudoUser: %reporting
sudoUser: %datawarehouse
cn: reporting_admin_on_sas
Note that you can have N number of sudoCommand|sudoUser entry's, so you can
organize this CN around what the people in these groups need todo on this
box.
One of my co-workers wrote a script that exports the sudo entries in the
directory to /etc/sudoers to handle the case of legacy machines that are too
old or broken to have native sudo ldap lookups (of course they still need to
be able to lookup uid's/gid's in the directory for this to work).
On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross <across(a)itasoftware.com> wrote:
We're going to go with sudoers in ldap, not because I think
it's better,
but because it's somewhat more secure. I think the layout of how it's
managed in ldap is much inferior (having to declare each group multiple
times, and not being able to apply privileges to a *group*, is stupid) but
it is at least someplace where I know the clever people can't get easy
access to it, and if the sudoers file gets modified, I can have tripwire
scream.
-- juniper
----- Original Message -----
From: "Kenneth Holter" <kenneho.ndu(a)gmail.com>
To: fedora-directory-users(a)redhat.com
Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern
Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to
make a decision about wether sudo information should be defined as
sudo-objects in the directory server, or if we should stick to /etc/sudoers.
I've played around with sudo-objects in the directory server, and got it
working. But the way I see it, maintaining sudo information in /etc/sudoers
is much easier than to maintain it in a directory server. In the latter
case, I'd either have to use the GUI, or write scripts/ldif files to make
necessary changes to the sudo setup, and they both seem less intuitive than
to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to
maintain sudo information in /etc/sudoers or in the directory server, so
please feel free to post a reply.
Best regards,
Kenneth Holter
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users