[Date Prev][Date Next] [Chronological] [Thread] [Top]

Issue while Centralizing SUDO with OpenLDAP

Hi,

I am trying to acheive centralizing SUDO, but facing an issue,i
suspect its something to do with sudoers.schema, May be am wrong. I
think somehow the slapd process is not able to read it. Please suggest
how to fix the issue.

My LDAP structure is like : dc=example,dc=com Under this I have
OU=People and i have created a OU called SUDOers. Then i have used the
sudoers2ldif to generate the LDIF file for me. I have setted the env
variable SUDOERS_BASE=ou=SUDOers,dc=example,dc=com. Then when am
trying to add the ldif file it shows me below error.
t710x02-6:/etc/openldap/schema # ldapadd -f /opt/newsudo.ldif -h
127.0.0.1 -D cn=Manager,dc=example,dc=com -W -x
Enter LDAP Password:
adding new entry "cn=defaults,ou=SUDOers,dc=example,dc=com"

ldap_add: Invalid syntax (21)

additional info: objectClass: value #0 invalid per syntax

sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
#objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS
XDG_SESSION_COOKIE"
sudoOption: targetpw

dn: cn=ALL,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: ALL
sudoUser: ALL
sudoHost: ALL
sudoRunas: ALL
sudoCommand: ALL

dn: cn=root,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunas: ALL
sudoCommand: ALL

dn: cn=prad,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: prad
sudoUser: prad
sudoHost: ALL
sudoRunas: ALL
sudoCommand: ALL

sudoers.schema
#
# OpenLDAP schema file for Sudo
# Save as /etc/openldap/schema/sudo.schema
#

attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
sudoRunAsGroup $ sudoOption $
description )
)

Please help me to solve this issue.

I am using SLES 11 and SUDO 1.6.9p17

Regards,
Neo