LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?

 
Thread Tools Search this Thread
Special Forums UNIX and Linux Applications LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?
# 1  
Old 03-19-2016
LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?

Hello Smilie

we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin:
Sysadmin is allowed to use the commands, systemctl, reboot, shutdown, and a couple of other commands without password.
They must nevertheless always enter their password.

The goal is that admins they are in the wheelgroup and also members from some other sudogroups, they can execute there commands without password. Is this possible in LDAP?

Here some config:

Code:
cn=defaults
dn	                cn=defaults,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn	                defaults
description 	sudoOption's
objectClass	sudoRole
sudoOption	!root_sudo
                        !lecture
                        log_host
                        log_year
                        ignore_dot
                        passwd_tries=3
                        timestamp_timeout=5
                        passwd_timeout=1
                        authenticate
                        ignore_local_sudoers

cn=%wheel
dn	               cn=%wheel,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn	               %wheel
description 	Superadmingroup
objectClass	sudoRole
sudoCommand	ALL
sudoHost	        ALL
sudoUser	        %wheel

cn=portage
dn	                cn=portage,ou=SUDOers,ou=Anwendungen,dc=osit,dc=cc
cn	                portage
description 	Mitglieder können auf allen Gentoos die Paketverwaltung bedienen.
objectClass	sudoRole
sudoCommand	/usr/bin/emerge
                        /usr/bin/eix
                        /usr/bin/revdep-rebuild
sudoHost	        ALL
sudoOption	!authenticate
sudoUser	        %portage


The importand option here is !authenticate. With this i can say "execute command without password".

Thanks a lot for helping!
Best Regards

Last edited by Scrutinizer; 03-19-2016 at 01:43 PM.. Reason: Changed noparse to code tags
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Red Hat

changing which password is prompted for in sudoers

Basically I only want particular users to know the root password, but I also want power users to be able to run certain commands with root privileges. All admins for this box will be authenticating initially through winbind (I do have a backdoor account in case winbind goes wonky) I want... (0 Replies)
Discussion started by: thmnetwork
0 Replies

2. Linux

How to configure sudoers in order to hide some sudo commands.

Hi Unix.com people! :) My question, I think, it's easy to understand. I want to configure my sudoers file (/etc/sudoers) in order to hide automatically, some repetitive and annoying commands to be listed on auth.log (/var/log/auth.log). Anyone know something, or know where I can... (0 Replies)
Discussion started by: fefafefa
0 Replies

3. UNIX for Advanced & Expert Users

[SOLVED] LDAP Constraint Violation while changing password

Hello there, I hope that I am posting in the right section here, please advise if I posted wrong. I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way. ... (0 Replies)
Discussion started by: henryford
0 Replies

4. UNIX for Advanced & Expert Users

setting password in ldap

Hi, I have installed open ldap according to the order from this video: YouTube - bowendenning's Channel sudo apt-get install slapd sudo apt-get install ldap-utils sudo apt-get install phpldapadmin The installaion was good. However it did NOT ask from me any password. After I enter to... (0 Replies)
Discussion started by: programAngel
0 Replies

5. UNIX for Advanced & Expert Users

How to reset the ldap root password?

How to change the ldap root password. I have generated the password by using "slappasswd " command, but In my root machine "/etc/ldap/sldap.d" file is not there. instead of the file sldap.d directory only is there. please help me...? (0 Replies)
Discussion started by: ungalnanban
0 Replies

6. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

7. Shell Programming and Scripting

Set FLAG in MAils from UNIX

Is there any way i can set flag or change the color of the subject line of a mail sent from unix. ? (1 Reply)
Discussion started by: Gaurav Goyal
1 Replies

8. Solaris

changing user password as root on LDAP client SOl10/u7

I'm fairly inexperienced with LDAP and DSEE so to build my skills I installed directory server in the global zone of my Sol 10/u7 machine and created a zone to use as a client. For some reason when I try to change a users password as root (in the client zone) with passwd -r ldap I am prompted for... (1 Reply)
Discussion started by: ilikecows
1 Replies

9. Solaris

LDAP user password reset script

Hey all, I'm looking for a script to auto-generate a password for users that forget their password. Currently, we are using a perl script (with cgi-bin) where users update their password, but would like to add to this and make it so that the users can also request a password reset and a... (1 Reply)
Discussion started by: em23
1 Replies

10. Solaris

sudoers file with groups in LDAP

Hello gurus, I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The... (6 Replies)
Discussion started by: em23
6 Replies
Login or Register to Ask a Question