openldap權限sudo

http://pig.made-it.com/ldap-sudoers.html
https://www.lisenet.com/2015/convert-openldap-schema-to-ldif/
http://qiita.com/T_Tsan/items/5ea2563450ed2d2ee20f
http://edo.blog.jp/archives/1538669.html

服務端

yum -y install sudo

sudo-ldap方案

cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema

生成sudo.ldif

echo 'include     /etc/openldap/schema/sudo.schema' > /tmp/sudo.conf

mkdir /tmp/sudo
slaptest -f /tmp/sudo.conf -F /tmp/sudo

# vim /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif
替換
dn: cn={0}sudo
objectClass: olcSchemaConfig
cn: {0}sudo
爲
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo

刪除
structuralObjectClass: olcSchemaConfig
entryUUID: bd975dc0-1654-1036-9c97-c37d6a498779
creatorsName: cn=config
createTimestamp: 20160924034303Z
entryCSN: 20160924034303.121340Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160924034303Z

cp /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif /etc/openldap/schema/sudo.ldif

sudo功能生效

vim /etc/openldap/slapd.conf
添加
include     /etc/openldap/schema/sudo.schema

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

sudoer權限

sudoer.ldif 
dn: ou=sudoer,dc=suntv,dc=tv
ou: sudoer
objectClass: top
objectClass: organizationalUnit

dn: cn=default,ou=sudoer,dc=suntv,dc=tv
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOption: logfile = /var/log/sudo
sudoOption: %g01, %g02 !requiretty

dn: cn=%g01,ou=sudoer,dc=suntv,dc=tv
objectClass: sudoRole
cn: %g01
sudoUser: %g01
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoCommand: ALL
sudoCommand: !/bin/su*
sudoCommand: !/usr/bin/vim /etc/sudoers*
sudoCommand: !/bin/vi /etc/sudoers*
sudoCommand: !/usr/sbin/visudo
sudoCommand: !/usr/sbin/adduser*
sudoCommand: !/usr/sbin/useradd*
sudoCommand: !/usr/sbin/userdel*
sudoCommand: !/usr/sbin/groupadd*
sudoCommand: !/usr/sbin/groupdel*
sudoCommand: !/bin/sh
sudoCommand: !/bin/bash
sudoCommand: !/usr/bin/login
# g01組用戶禁用su,禁用變動sudo權限，禁用用戶組的操做

dn: cn=%g02,ou=sudoer,dc=suntv,dc=tv
objectClass: sudoRole
cn: %g02
sudoUser: %g02
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoCommand: ALL
sudoCommand: !/bin/su*
# g02組用戶禁用'sudo su',
#

ldapdelete -x -W -H ldaps:/// -D cn=manager,dc=suntv,dc=tv ou=sudoer,dc=suntv,dc=tv -r

ldapadd -H ldaps:/// -W -x -D cn=manager,dc=suntv,dc=tv -f sudoer.ldif

客戶端

/etc/sssd/sssd.conf

[sssd]
services = nss, pam, sudo, ssh # add
config_file_version = 2
domains = ldap

[domain/ldap]
debug_level = 9
cache_credentials = True
enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = # add

ldap_uri = ldaps://master.local,ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_sudo_search_base = ou=Sudoer,dc=suntv,dc=tv # add
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false

entry_cache_timeout = 600
ldap_network_timeout = 2

[nss]
homedir_substring = /home
entry_negative_timeout        = 20
entry_cache_nowait_percentage = 50

filter_users = root
filter_groups = root

[pam]

[sudo]

[autofs]

[ssh]

[pac]

/etc/nsswitch.conf

sudoers: file sss

禁用su

vim /etc/pam.d/su
去除如下行的註釋
auth            required        pam_wheel.so use_uid

測試

u01

id
uid=1001(u01) gid=2001(g01) groups=2001(g01)

sudo -l
Matching Defaults entries for u01 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User u01 may run the following commands on this host:
    (ALL) NOPASSWD: ALL, !/bin/su*, !/usr/bin/vim /etc/sudoers*, !/bin/vi /etc/sudoers*, !/usr/sbin/visudo, !/usr/sbin/adduser*, !/usr/sbin/useradd*, !/usr/sbin/userdel*, !/usr/sbin/groupadd*,
    !/usr/sbin/groupdel*, !/bin/sh, !/bin/bash, !/usr/bin/login

u04

id
uid=1004(u04) gid=2002(g02) groups=2002(g02)

sudo -l
Matching Defaults entries for u04 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User u04 may run the following commands on this host:
    (ALL) NOPASSWD: ALL, !/bin/su*