LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?
Hello
we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin:
Sysadmin is allowed to use the commands, systemctl, reboot, shutdown, and a couple of other commands without password.
They must nevertheless always enter their password.
The goal is that admins they are in the wheelgroup and also members from some other sudogroups, they can execute there commands without password. Is this possible in LDAP?
Here some config:
Code:
cn=defaults
dn cn=defaults,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn defaults
description sudoOption's
objectClass sudoRole
sudoOption !root_sudo
!lecture
log_host
log_year
ignore_dot
passwd_tries=3
timestamp_timeout=5
passwd_timeout=1
authenticate
ignore_local_sudoers
cn=%wheel
dn cn=%wheel,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn %wheel
description Superadmingroup
objectClass sudoRole
sudoCommand ALL
sudoHost ALL
sudoUser %wheel
cn=portage
dn cn=portage,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn portage
description Mitglieder können auf allen Gentoos die Paketverwaltung bedienen.
objectClass sudoRole
sudoCommand /usr/bin/emerge
/usr/bin/eix
/usr/bin/revdep-rebuild
sudoHost ALL
sudoOption !authenticate
sudoUser %portage
The importand option here is !authenticate. With this i can say "execute command without password".
Thanks a lot for helping!
Best Regards
Last edited by Scrutinizer; 03-19-2016 at 01:43 PM..
Reason: Changed noparse to code tags
Hello gurus,
I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The... (6 Replies)
Hey all,
I'm looking for a script to auto-generate a password for users that forget their password.
Currently, we are using a perl script (with cgi-bin) where users update their password, but would like to add to this and make it so that the users can also request a password reset and a... (1 Reply)
I'm fairly inexperienced with LDAP and DSEE so to build my skills I installed directory server in the global zone of my Sol 10/u7 machine and created a zone to use as a client. For some reason when I try to change a users password as root (in the client zone) with passwd -r ldap I am prompted for... (1 Reply)
Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here..
At this point I have an openLDAP server that is working quite splendidly! :)
I have a working directory with users able to authenticate it and TLS... (2 Replies)
How to change the ldap root password.
I have generated the password by using "slappasswd " command, but In my root machine "/etc/ldap/sldap.d" file is not there. instead of the file sldap.d directory only is there. please help me...? (0 Replies)
Hi,
I have installed open ldap according to the order from this video:
YouTube - bowendenning's Channel
sudo apt-get install slapd
sudo apt-get install ldap-utils
sudo apt-get install phpldapadmin
The installaion was good.
However it did NOT ask from me any password.
After I enter to... (0 Replies)
Hello there,
I hope that I am posting in the right section here, please advise if I posted wrong.
I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way. ... (0 Replies)
Hi Unix.com people! :)
My question, I think, it's easy to understand.
I want to configure my sudoers file (/etc/sudoers) in order
to hide automatically, some repetitive and annoying commands
to be listed on auth.log (/var/log/auth.log).
Anyone know something, or know where I can... (0 Replies)
Basically I only want particular users to know the root password, but I also want power users to be able to run certain commands with root privileges. All admins for this box will be authenticating initially through winbind (I do have a backdoor account in case winbind goes wonky)
I want... (0 Replies)
Discussion started by: thmnetwork
0 Replies
LEARN ABOUT CENTOS
visudo
VISUDO(8) BSD System Manager's Manual VISUDO(8)NAME
visudo -- edit the sudoers file
SYNOPSIS
visudo [-chqsV] [-f sudoers]
DESCRIPTION
visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits,
provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try
again later.
There is a hard-coded list of one or more editors that visudo will use set at compile-time that may be overridden via the editor sudoers
Default variable. This list defaults to /usr/local/bin/vi. Normally, visudo does not honor the VISUAL or EDITOR environment variables
unless they contain an editor in the aforementioned editors list. However, if visudo is configured with the --with-env-editor option or the
env_editor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR. Note that this can be a security
hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR.
visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. Upon finding an error, visudo will
print a message stating the line number(s) where the error occurred and the user will receive the ``What now?'' prompt. At this point the
user may enter 'e' to re-edit the sudoers file, 'x' to exit without saving the changes, or 'Q' to quit and save changes. The 'Q' option
should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again
until the error is fixed. If 'e' is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the
line where the error occurred (if the editor supports this feature).
The options are as follows:
-c Enable check-only mode. The existing sudoers file will be checked for syntax errors, owner and mode. A message will be printed
to the standard output describing the status of sudoers unless the -q option was specified. If the check completes successfully,
visudo will exit with a value of 0. If an error is encountered, visudo will exit with a value of 1.
-f sudoers Specify and alternate sudoers file location. With this option visudo will edit (or check) the sudoers file of your choice,
instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with ``.tmp'' appended to it. In
check-only mode only, the argument to -f may be '-', indicating that sudoers will be read from the standard input.
-h The -h (help) option causes visudo to print a short help message to the standard output and exit.
-q Enable quiet mode. In this mode details about syntax errors are not printed. This option is only useful when combined with the
-c option.
-s Enable strict checking of the sudoers file. If an alias is used before it is defined, visudo will consider this a parse error.
Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
-V The -V (version) option causes visudo to print its version number and exit.
ENVIRONMENT
The following environment variables may be consulted depending on the value of the editor and env_editor sudoers settings:
VISUAL Invoked by visudo as the editor to use
EDITOR Used by visudo if VISUAL is not set
FILES
/etc/sudoers List of who can run what
/etc/sudoers.tmp Lock file for visudo
DIAGNOSTICS
sudoers file busy, try again later.
Someone else is currently editing the sudoers file.
/etc/sudoers.tmp: Permission denied
You didn't run visudo as root.
Can't find you in the passwd database
Your user ID does not appear in the system passwd file.
Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the warnings (sudo will not
complain). In -s (strict) mode these are errors, not warnings.
Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never used. You may wish to comment out or remove the unused alias. In -s
(strict) mode this is an error, not a warning.
Warning: cycle in {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to itself, either directly or through an alias it includes. This is
only a warning by default as sudo will ignore cycles when parsing the sudoers file.
SEE ALSO vi(1), sudoers(5), sudo(8), vipw(8)AUTHORS
Many people have worked on sudo over the years; this version consists of code written primarily by:
Todd C. Miller
See the CONTRIBUTORS file in the sudo distribution (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people who have con-
tributed to sudo.
CAVEATS
There is no easy way to prevent a user from gaining a root shell if the editor used by visudo allows shell escapes.
BUGS
If you feel you have found a bug in visudo, please submit a bug report at http://www.sudo.ws/sudo/bugs/
SUPPORT
Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
DISCLAIMER
visudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with sudo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.6p7 July 12, 2012 Sudo 1.8.6p7
03-19-2016
