LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?
Hello
we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin:
Sysadmin is allowed to use the commands, systemctl, reboot, shutdown, and a couple of other commands without password.
They must nevertheless always enter their password.
The goal is that admins they are in the wheelgroup and also members from some other sudogroups, they can execute there commands without password. Is this possible in LDAP?
Here some config:
Code:
cn=defaults
dn cn=defaults,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn defaults
description sudoOption's
objectClass sudoRole
sudoOption !root_sudo
!lecture
log_host
log_year
ignore_dot
passwd_tries=3
timestamp_timeout=5
passwd_timeout=1
authenticate
ignore_local_sudoers
cn=%wheel
dn cn=%wheel,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn %wheel
description Superadmingroup
objectClass sudoRole
sudoCommand ALL
sudoHost ALL
sudoUser %wheel
cn=portage
dn cn=portage,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn portage
description Mitglieder können auf allen Gentoos die Paketverwaltung bedienen.
objectClass sudoRole
sudoCommand /usr/bin/emerge
/usr/bin/eix
/usr/bin/revdep-rebuild
sudoHost ALL
sudoOption !authenticate
sudoUser %portage
The importand option here is !authenticate. With this i can say "execute command without password".
Thanks a lot for helping!
Best Regards
Last edited by Scrutinizer; 03-19-2016 at 01:43 PM..
Reason: Changed noparse to code tags
Hello gurus,
I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The... (6 Replies)
Hey all,
I'm looking for a script to auto-generate a password for users that forget their password.
Currently, we are using a perl script (with cgi-bin) where users update their password, but would like to add to this and make it so that the users can also request a password reset and a... (1 Reply)
I'm fairly inexperienced with LDAP and DSEE so to build my skills I installed directory server in the global zone of my Sol 10/u7 machine and created a zone to use as a client. For some reason when I try to change a users password as root (in the client zone) with passwd -r ldap I am prompted for... (1 Reply)
Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here..
At this point I have an openLDAP server that is working quite splendidly! :)
I have a working directory with users able to authenticate it and TLS... (2 Replies)
How to change the ldap root password.
I have generated the password by using "slappasswd " command, but In my root machine "/etc/ldap/sldap.d" file is not there. instead of the file sldap.d directory only is there. please help me...? (0 Replies)
Hi,
I have installed open ldap according to the order from this video:
YouTube - bowendenning's Channel
sudo apt-get install slapd
sudo apt-get install ldap-utils
sudo apt-get install phpldapadmin
The installaion was good.
However it did NOT ask from me any password.
After I enter to... (0 Replies)
Hello there,
I hope that I am posting in the right section here, please advise if I posted wrong.
I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way. ... (0 Replies)
Hi Unix.com people! :)
My question, I think, it's easy to understand.
I want to configure my sudoers file (/etc/sudoers) in order
to hide automatically, some repetitive and annoying commands
to be listed on auth.log (/var/log/auth.log).
Anyone know something, or know where I can... (0 Replies)
Basically I only want particular users to know the root password, but I also want power users to be able to run certain commands with root privileges. All admins for this box will be authenticating initially through winbind (I do have a backdoor account in case winbind goes wonky)
I want... (0 Replies)
Discussion started by: thmnetwork
0 Replies
LEARN ABOUT LINUX
sudo_root
sudo_root(8) System Manager's Manual sudo_root(8)NAME
sudo_root - How to run administrative commands
SYNOPSIS
sudo command
sudo -i
INTRODUCTION
By default, the password for the user "root" (the system administrator) is locked. This means you cannot login as root or use su. Instead,
the installer will set up sudo to allow the user that is created during install to run all administrative commands.
This means that in the terminal you can use sudo for commands that require root privileges. All programs in the menu will use a graphical
sudo to prompt for a password. When sudo asks for a password, it needs your password, this means that a root password is not needed.
To run a command which requires root privileges in a terminal, simply prepend sudo in front of it. To get an interactive root shell, use
sudo -i.
ALLOWING OTHER USERS TO RUN SUDO
By default, only the user who installed the system is permitted to run sudo. To add more administrators, i. e. users who can run sudo, you
have to add these users to the group 'admin' by doing one of the following steps:
* In a shell, do
sudo adduser username admin
* Use the graphical "Users & Groups" program in the "System settings" menu to add the new user to the admin group.
BENEFITS OF USING SUDO
The benefits of leaving root disabled by default include the following:
* Users do not have to remember an extra password, which they are likely to forget.
* The installer is able to ask fewer questions.
* It avoids the "I can do anything" interactive login by default - you will be prompted for a password before major changes can happen,
which should make you think about the consequences of what you are doing.
* Sudo adds a log entry of the command(s) run (in /var/log/auth.log).
* Every attacker trying to brute-force their way into your box will know it has an account named root and will try that first. What they do
not know is what the usernames of your other users are.
* Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from the admin group, while not
compromising the root account.
* sudo can be set up with a much more fine-grained security policy.
* On systems with more than one administrator using sudo avoids sharing a password amongst them.
DOWNSIDES OF USING SUDO
Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
* Redirecting the output of commands run with sudo can be confusing at first. For instance consider
sudo ls > /root/somefile
will not work since it is the shell that tries to write to that file. You can use
ls | sudo tee /root/somefile
to get the behaviour you want.
* In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as
nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to
leave the system unusable. An extra local user, or an enabled root password is needed here.
GOING BACK TO A TRADITIONAL ROOT ACCOUNT
This is not recommended!
To enable the root account (i.e. set a password) use:
sudo passwd root
Afterwards, edit the sudo configuration with sudo visudo and comment out the line
%admin ALL=(ALL) ALL
to disable sudo access to members of the admin group.
SEE ALSO sudo(8), https://wiki.ubuntu.com/RootSudo
February 8, 2006 sudo_root(8)
03-19-2016
