OpenLDAP With Sudo

                             OpenLDAP With Sudo User Document.
                         I have Useing RHEL6.4 or Centos 6.4 64Bit

OpenLDAP Server Installation Stap

1. install Below Packages in you Local Yum.
# yum install openldap* migrationtools nss-pam-ldapd pam_ldap.x86_64

2. Copy DB_CONFIG file in ldap DB Folder.
# cp /usr/share/openldap-servers/DB_CONFIG.example  /var/lib/ldap/DB_CONFIG

3. Copy slapd.conf configuretion file openldap folder.
# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
# cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

4. Create Ldap root User Password in incrypt form.
# slappasswd
passowd XXXX
retry password XXXX

5. configure slapd.conf
# vim /etc/openldap/slapd.conf
change below Lines.

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.

include         /etc/openldap/schema/corba.schema

database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=example,dc=com" read
        by * none

# database definitions

database        bdb
suffix          "dc=example,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw                  {SSHA}J/g2NRCo3kWVnBUHyShBm5ITqb6zp9i+
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg

# Indices to maintain for this database
index    sudoUser                  eq

# updatedb

# vim /etc/sysconfig/ldap

6. Configure openldap certificate and Key file.
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/example.pem -keyout  /etc/pki/tls/certs/examplekey.pem -days 1825
Generating a 2048 bit RSA private key
writing new private key to '/etc/pki/tls/certs/examplekey.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi
Locality Name (eg, city) [Default City]:New Delhi
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []
Email Address []

# cp -rv /etc/openldap/slapd.d /etc/openldap/slapd.d-ORG
# rm -rf /etc/openldap/slapd.d/*
# chown -R ldap.ldap /etc/openldap/slapd.d/*
# chown -R ldap.ldap /var/lib/ldap/*
# slapcat -f slapd.conf -F /etc/openldap/slapd.d/  -n 0

6. Configure Database ldif file.
# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
edit Below Line
olcRootPW: {SSHA}J/g2NRCo3kWVnBUHyShBm5ITqb6zp9i+
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/example.pem

# /etc/init.d/slapd restart
# chkconfig slapd on

# mkdir /home/guests
# for i in {1..5}; do useradd  -d /home/guests/ldapuser$i ldapuser$i -u 100$i ; echo "redhat" | passwd  --stdin ldapuser$i; done
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
Changing password for user ldapuser3.
passwd: all authentication tokens updated successfully.
Changing password for user ldapuser4.
passwd: all authentication tokens updated successfully.
Changing password for user ldapuser5.
passwd: all authentication tokens updated successfully.

# cd /usr/share/migrationtools/
# vim
edit below line
$NAMINGCONTEXT{'group'}             = "ou=Groups";
$DEFAULT_BASE = "dc=example,dc=com";

# getent passwd | tail -n 5
# getent passwd | tail -n 5  > /root/users

# getent group | tail -n 5
# getent group | tail -n 5  > /root/group

# getent shadow | tail -n 5
# getent shadow | tail -n 5  > /root/password

# vim

# ./  > /root/base.ldif
# ./ /root/users > /root/users.ldif
# ./ /root/group  > /root/group.ldif
# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=Hosts,dc=example,dc=com"
adding new entry "ou=Rpc,dc=example,dc=com"
adding new entry "ou=Services,dc=example,dc=com"
adding new entry "nisMapName=netgroup.byuser,dc=example,dc=com"
adding new entry "ou=Mounts,dc=example,dc=com"
adding new entry "ou=Networks,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Groups,dc=example,dc=com"
adding new entry "ou=Netgroup,dc=example,dc=com"
adding new entry "ou=Protocols,dc=example,dc=com"
adding new entry "ou=Aliases,dc=example,dc=com"
adding new entry "nisMapName=netgroup.byhost,dc=example,dc=com"

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser3,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser4,ou=People,dc=example,dc=com"
adding new entry "uid=ldapuser5,ou=People,dc=example,dc=com"

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/group.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Groups,dc=example,dc=com"
adding new entry "cn=ldapuser2,ou=Groups,dc=example,dc=com"
adding new entry "cn=ldapuser3,ou=Groups,dc=example,dc=com"
adding new entry "cn=ldapuser4,ou=Groups,dc=example,dc=com"
adding new entry "cn=ldapuser5,ou=Groups,dc=example,dc=com"

# ldapsearch -x -b "dc=example,dc=com" | less

OpenLDAP is Completed  and now we are going to Sudo Configure

vim /root/sudo.ldif (edit below line)
dn: ou=SUDOers,dc=example,dc=com
objectClass: organizationalUnit

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/sudo.ldif
Enter LDAP Password:
adding new entry "ou=SUDOers,dc=example,dc=com"

# SUDOERS_BASE=ou=SUDOers,dc=example,dc=com
# cd /usr/share/doc/sudo-1.8.6p3
# chmod +x sudoers2ldif

# ./sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif
# vim /tmp/sudoers.ldif (edit 2 lines)
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
sudoOption: env_keep += "QTDIR KDEDIR"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOrder: 1

dn: cn=root,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2

dn: cn=ldapuser1,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: ldapuser1
sudoUser: ldapuser1
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: /sbin/fdisk
sudoOrder: 2

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /tmp/sudoers.ldif
Enter LDAP Password:
adding new entry "cn=defaults,ou=SUDOers,dc=example,dc=com"
adding new entry "cn=root,ou=SUDOers,dc=example,dc=com"
adding new entry "cn=ldapuser1,ou=SUDOers,dc=example,dc=com"

# vim /root/user_sudo.ldif
dn: cn=ldapuser2,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: ldapuser2
sudoUser: ldapuser2
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoCommand: !/bin/rm

sudoOrder: 2

# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/user_sudo.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser2,ou=SUDOers,dc=example,dc=com"

Client Side.
# vim /etc/sudo-ldap.conf
uri ldap://ldapserver IP
sudoers_base ou=SUDOers,dc=example,dc=com

# vim /etc/nsswitch.conf
sudoers:    ldap files

# authconfig-tui
Starting nslcd:                                            [  OK  ]
# getent passwd ldapuser1
# su - ldapuser1
$ sudo fdisk -l
sudo: unknown defaults entry `env_keep '
sudo: unknown defaults entry `env_keep '
sudo: unknown defaults entry `secure_path '
[sudo] password for ldapuser1:

Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00086c8c

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          64      512000   83  Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2              64        2611    20458496   8e  Linux LVM
$ exit
# su - ldapuser2
$ sudo rm -rf /var/log/maillog
sudo: unknown defaults entry `env_keep '
sudo: unknown defaults entry `env_keep '
sudo: unknown defaults entry `secure_path '
[sudo] password for ldapuser2:
Sorry, user ldapuser2 is not allowed to execute '/bin/rm -rf /var/log/maillog' as root on


  1. Excellent article. Thanks for sharing. May I suggest though to replace the line containing:


Post a Comment

Popular posts from this blog

PCS Corosync Pacemaker Cluster Mariadb using NFS

How to install and configure node js and PM2 in rhel7

How to Create or Configure iSCSI Server and Clinet