Not to digress too much off topic here, but I'm not sure about your comment on using groups- we've organized privileges into entry's like this:

cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com
sudoHost: sasapp*.prod.foo.com
objectClass: sudoRole
objectClass: top
sudoCommand: /bin/su sas
sudoCommand: /bin/su - sas
sudoUser: %reporting
sudoUser: %datawarehouse
cn: reporting_admin_on_sas

Note that you can have N number of sudoCommand|sudoUser entry's, so you can organize this CN around what the people in these groups need todo on this box.

One of my co-workers wrote a script that exports the sudo entries in the directory to /etc/sudoers to handle the case of legacy machines that are too old or broken to have native sudo ldap lookups (of course they still need to be able to lookup uid's/gid's in the directory for this to work).


On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross <across@itasoftware.com> wrote:
We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure.  I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.

-- juniper

----- Original Message -----
From: "Kenneth Holter" <kenneho.ndu@gmail.com>
To: fedora-directory-users@redhat.com
Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern
Subject: [389-users] /etc/sudoers VS sudo-objects in directory server



Hi.


We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.

I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.


Best regards,
Kenneth Holter
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users