Home
Danger Mouse

January 2009

S M T W T F S
    123
45678910
11121314151617
18192021222324
25262728293031

Links

Powered by LiveJournal.com
Danger Mouse

LDAP + sudo == sysadmin happiness

mood: accomplished
Using the latest release of sudo, I was finally able to get sudo working with LDAP enabled on RHEL/CentOS 4. Previously, I had no trouble getting sudo working with LDAP on RHEL3 and RHEL5. However, when I added '--with-ldap' to the compile options on RHEL4, it completely broke sudo, preventing it from authenticating anything.

This is a huge win for us at work, because it makes handling sudo configurations significantly easier. Normally, you have to store the configuration in /etc/sudoers on every single box. With this, you can store your sudo configuration in LDAP, and have all of the sudo rules in a single centralized location. Update it once, and all configured machines will then pull it.

I've become a big fan of LDAP, and with sudo supporting it, I think that anyone using LDAP and not storing sudo information in LDAP is crazy.
Tags: , ,

Posted on Apr. 14th, 2008 at 12:24 pm | | Leave a comment | Add to Memories | Tell a Friend

Comments


[info]chezmax

You know, every time I try to do any research into LDAP, I run into a giant wall. All the descriptions are either too high-level (it's a directory service!) or too low-level (attribute formats), without any sort of medium-level bit. And that there doesn't seem to be any standard way to run these things. Grrr, so mostly LDAP just confuses me. :/
Posted on Apr. 14th, 2008 08:02 pm (UTC) | | Thread | Reply

[info]kraig

My experience has been that there isn't really a medium level, although I found compiling a glossary helped. I can send you what I have (not very big though) if you like, along with some pointers to articles I found helped.

I'm currently not the best of friends with LDAP, since it's making me look bad on a cluster. >:< Caches results for too long - ironically, some of them membership in groups for sudo - and I can't figure out why.
Posted on Apr. 15th, 2008 02:32 am (UTC) | | Parent | Thread | Reply

[info]topher

nscd?

Check nscd (Name Service Cache Daemon), if you haven't yet. It has a tendency to cache a lot of the things that get looked up via LDAP, especially user and group information.

If it's running, you can try shutting it off so all lookups will be repeated (increases traffic hitting LDAP server), or you can also potentially clear the local cache of a specific table, like nscd -i group or nscd -i passwd.
Posted on Apr. 15th, 2008 03:11 am (UTC) | | Parent | Thread | Reply

[info]kraig

Re: nscd?

I've restarted it, but haven't tried clearing a specific table's cache - will do that when I'm back at work next week... thanks.
Posted on Apr. 15th, 2008 03:49 pm (UTC) | | Parent | Thread | Reply

[info]kraig

Re: nscd?

Finally got a chance to check this - I disabled nscd altogether, no joy. Same with nscd -i group. Tres weird. I hate opensuse.
Posted on Apr. 22nd, 2008 07:15 pm (UTC) | | Parent | Thread | Reply

[info]topher

Re: nscd?

Darn, I was hoping that might do the trick. If I think of anything else, I'll let you know. I don't really use SuSE at all, though, so I'm not real familiar with it's quirks.
Posted on Apr. 22nd, 2008 10:08 pm (UTC) | | Parent | Thread | Reply

[info]kraig

Re: nscd?

Yeah. The changes do seem to get seen by sudo eventually, which does suggest some level of caching - but where it is is beyond me. It isn't nscd. :(
Posted on Apr. 22nd, 2008 10:52 pm (UTC) | | Parent | Thread | Reply

[info]kraig

Re: nscd?

Their docs say to restart nscd to hurry things along. So clearly something's up, but I dunno what.

User additions take effect almost immediately, so it's just groups... very weird.
Posted on Apr. 23rd, 2008 01:28 am (UTC) | | Parent | Thread | Reply

[info]topher

LDAP Confusion.

I know what you mean. I went through the same thing the first few times I looked at it.

A few things that helped me with it were:
  • Thinking of it fundamentally as a database. A slightly unusual database that isn't SQL related, is generally read significantly more frequently than it is written, but is still a database.

  • From a system administration perspective, seeing how common system files such as /etc/passwd and /etc/group map to LDAP, and also how some of the less common, but easily as useful system config files, like automountd/AutoFS configs and /etc/sudoers and also be
    mapped to LDAP.

  • From a user directory perspective, it can be interesting to see how users are stored, along with informaion about them. Using LDAP for a user directory is very common.

  • It's hierarchical or tree-like. There's an LDAP root (in most modern cases, based on a domain name), and everything else goes from that.

  • It is extremely extensible by defining new schemas. New schemas allow you to define new entries and attributes, giving you a level of flexibility not unlike what you get with XML. Writing LDAP schemas is definitely non-trivial, but it's what allows you to store arbitrary information in an LDAP database relatively easily (and in a fairly portable way).

Posted on Apr. 15th, 2008 03:05 am (UTC) | | Parent | Thread | Reply

[info]chezmax

Re: LDAP Confusion.

Tree-like: Why are trees useful for this sort of database?

Do you have an example of what an LDAP database looks like?
Posted on Apr. 16th, 2008 11:51 pm (UTC) | | Parent | Thread | Reply

[info]asmodeusb

Another option is to put sudoers under revision control. Either have the change process push it out (if you need changes to be immediate cluster-wide), or have each node checkout (or check for changes) ever X amount of time.

So far, whenever anyone's suggested LDAP for me, I've ran across something intersecting my current knowledge, so I've never taken the time to learn it.
Posted on Apr. 19th, 2008 12:41 pm (UTC) | | Thread | Reply

[info]kraig

That's akin to rsyncing passwd/shadow files around. Gross. :(

Granted, that's what we do in the Solaris environments here already anyway.
Posted on Apr. 22nd, 2008 07:16 pm (UTC) | | Parent | Thread | Reply