Unify Sudoers Privileges Across Raspberry Pi Devices
by mirza irwan osman in Circuits > Raspberry Pi
1358 Views, 4 Favorites, 0 Comments
Unify Sudoers Privileges Across Raspberry Pi Devices
Introduction
Besides the ability to store automounter maps, LDAP can also store sudoers configuration. This makes maintenance of sudoers policy fast and easy.
Scope
This instructable will show how to:
- Install sudoers-LDAP related package
- Install sudoers schema in OpenLDAP
- Create sudoers file in LDIF format
- Add the sudoers file to LDAP database
- Test
Design
We need to have 2 Raspberry Pi devices runnung Raspbian OS. For simplicity, I will call the 2 Raspberry Pi devices as Rpi1 and Rpi2:
Rpi1 will have:
LDAP server with user account database
Rpi2 will:
- Look up sudoers policy in Rpi1's LDAP server
- Do LDAP authentication using Rpi1's LDAP server
Environment
The following are system data of the 2 Raspberry devices:
Distributor ID: Debian
Description: Debian GNU/Linux 7.8 (wheezy)
Release: 7.8
Codename: wheezy
Linux rpipro.example.com 3.18.9+ #767 PREEMPT Sat Mar 7 21:41:13 GMT 2015 armv6l GNU/Linux
References
Manual page sudoers.ldap(5)
Make Raspberry Pi Into a LDAP Server to Store User Account Data and Password
Complete the steps in the "Make Raspberry Pi into a LDAP Server to Store User Account Data and Password" instructable for Rpi1
Make Raspberry Pi Do LDAP Authentication
Complete the steps in the "Make Raspberry Pi do LDAP Authentication" instructable for Rpi2
Install Sudo Support Package for Ldap
Open terminal emulator in Rpi1
sudo apt-get update <br>sudo apt-get install sudo-ldap
Install Sudo Schema in OpenLDAP
In order to use sudo's LDAP support, the sudo schema must be installed on your LDAP server.
Open terminal emulator in Rpi1:
sudo cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema
Create a working directory:
mkdir -p ~/proj_sudo/instruc_ldap_2
Create a configuration file for the schema:
vi schema_convert.conf
Determine the index of the schema:
slapcat -f schema_convert.conf -F ldif_output -n 0 | grep sudo,cn=schema
Output:
dn: cn={13}sudo,cn=schema,cn=configUse slapcat to perform the conversion:
slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={13}sudo,cn=schema,cn=config -l cn=sudo.ldifEdit cn=sudo.ldif to arrive at the following attributes:
dn: cn=sudo,cn=schema,cn=config<br>... ... cn: sudo
Also remove the following lines from the bottom:
use ldapadd to add the new schema to the slapd-config DIT:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=sudo.ldif
Confirm that sudoers schema is installed in LDAP:
sudo ldapsearch -LLL -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
Creating Organizational Units
Open terminal emulator in Rpi1:
vi add_ous.ldif
Add record to openLDAP:
sudo ldapadd -f add_ous.ldif -x -D "cn=admin,dc=example,dc=com" -W
Downloads
Grant Sudo Privilege
A sudoRole must contain at least one sudoUser, sudoHost and sudoCommand
Open terminal emulator in Rpi1
Convert /etc/sudoers into ldif:
Append the following to exisiting content of sudoMaster.ldif:
vi /home/pi/proj_sudo/instruc_ldap_2/sudoMaster.ldif
Install sudoMaster.ldif into LDAP:
ldapadd -f ~/proj_sudo/instruc_ldap_2/sudoMaster.ldif -D "cn=admin,dc=example,dc=com" -W -x
Downloads
Index the 'sudoUser' Attribute
In addition, be sure to index the 'sudoUser' attribute.
Open terminal emulator in Rpi1
vi indices.ldif
Modify the index records in openLDAP:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f indices.ldif
Downloads
Configure Client's Ldap.conf
Open terminal emulator in Rpi2
Sudo reads the /etc/sudo-ldap.conf file for LDAP-specific configuration.
Note that sudo parses /etc/sudo-ldap.conf itself and may support options that differ from those described in the ldap.conf(5) manual.
Edit ldap client configuration:
sudo vi /etc/ldap/ldap.confBASE dc=example,dc=com
URI ldap://192.168.0.6 index sudoUser eq sudoers_base ou=SUDOers,ou=etc,dc=example,dc=com
Create sudo-ldap.conf for sudoers LDAP setup:
sudo ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
Configuring Client's Nsswitch.conf
Unless it is disabled at build time, sudo consults the Name Service Switch file, /etc/nsswitch.conf, to specify the sudoers search order. Sudo looks for a line beginning with sudoers: and uses this to determine the search order. Note that sudo does not stop searching after the first match and later matches take precedence over earlier ones.
Open terminal emulator in Rpi2
Add entry for sudoer:
vi /etc/nsswitch.conf sudoers: ldap
Test
Open terminal emulator in Rpi2
Rename /etc/sudoer so that Rpi2 must lookup sudoers policy in LDAP
sudo mv /etc/sudoer /etc/sudoer.disabled
Reboot Rpi2
Login using john account:
username: john password: johnldap
Open terminal emulator in Rpi2
Reboot Rpi2:
sudo reboot
Expected result: Rpi2 will reboot
Open terminal emulator in Rpi2
Shutdown Rpi2:
sudo shutdown -h now
Expected result: Rpi2 will reboot