Cool Solution - Setup sudo with ldap on multiserver environments

From Univention Wiki

Revision as of 07:09, 22 April 2015 by Rehberg (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 4.0
Produktlogo UCC Version 1.0

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.

Introduction

A useful way to administer (and audit the administration of) your servers is delegating authority via sudo. However, in a large number of systems the sudoers configuration file can be hard to syncronize. Fortunately, sudo may support LDAP (at build time) to distribute the configuration, and as the sudo LDAP readme says: "By using LDAP for sudoers we gain a centrally administered, globally available configuration source for sudo".

The administration of UCS and UCC deployments using LDAP-based sudoers is available now with these packages.

For more on the benefits of sudo and sudo LDAP please see the sudo intro and the sudoers LDAP manual


Installation on UCS DC Master / DC Backup

First, add the following entries in /etc/apt/sources.list.d/20_ucs-online-component.list:

deb http://univention-repository.knut.univention.de/3.1/unmaintained/component/ cool-solutions/all/
deb http://univention-repository.knut.univention.de/3.1/unmaintained/component/ cool-solutions/amd64/

After including the "cool solutions" repository install the following package containing the UDM integration on the UCS DC Master and every DC Backup:

univention-sudo-ldap

Make sure that all join scripts are executed (i.e. in the UMC "domain join" module).

Installation on UCS and UCC systems

After including the "cool solutions" repository install the following package on all systems that should make use of the "sudo" rules defined using the UDM:

univention-sudo-ldap-host

It's recommended to use the software distribution functionalities for UCS and UCC to make sure the package will be installed on new systems, too.

Delegating authority via UMC/UDM

Now you can set rules in the DC Master either by using the Web interface UMC or the command-line interface UDM.

These are the supported entries:

  • Rules have a name and a description
  • users can be loginnames or groups
  • Individual hostnames can be added to hosts
  • It's recommended to use the full path in the command entry

UMC

The Univention Management Console (UMC) can be used to create, edit and delete sudo LDAP rules.

Once you have logged in UMC, open LDAP Directory in the container: example.com->univention->sudo-ldap (cn=sudo-ldap,cn=univention,dc=example,dc=com).

Add LDAP Object can be used to create new sudo rules. See image.

Modifying a sudo rule in UMC

UDM

The command-line interface Univention Directory Manager (UDM) can be now used to add rules to the sudo-ldap container (cn=sudo-ldap,cn=univention,dc=example,dc=com)

udm sudo/rule create \
--position "cn=sudo-ldap,cn=univention,dc=example,dc=com" \
--set name="Package Management" \
--set description="Package handling with apt-get" \
--set hosts="server1.example.com" \
--set users="mmueller" \
--set command="/usr/bin/apt-get"

The rule can be later modified as

udm sudo/rule modify \
--dn "cn=Package Management,cn=sudo-ldap,cn=univention,dc=example,dc=com" \
--append users="cschmidt" \
--append hosts="backup"


To show the content of the rule

udm sudo/rule list \
--dn "cn=Package Management,cn=sudo-ldap,cn=univention,dc=example,dc=com"
---
DN: cn=Package Management,cn=sudo-ldap,cn=univention,dc=example,dc=com
ARG: None
 command: /usr/bin/apt-get
 users: mmueller
 users: cschmidt
 hosts: server1.example.com
 hosts: backup
 name: Package Management
 description: Package handling with apt-get
---

See also

Personal tools