Introduction
A useful way to administer (and audit the administration of) your servers is delegating authority via sudo. However, in a large number of systems the sudoers configuration file can be hard to syncronize. Fortunately, sudo may support LDAP (at build time) to distribute the configuration, and as the sudo LDAP readme says: “By using LDAP for sudoers we gain a centrally administered, globally available configuration source for sudo”.
The administration of UCS deployments using LDAP-based sudoers is available now with these packages.
For more on the benefits of sudo and sudo LDAP please see the sudo intro and the sudoers LDAP manual
Installation on UCS DC Master / DC Backup
Include the “cool solutions” repository.
Unmaintained repository on UCS 4
Enable the unmaintained repository to make sudo-ldap available:
ucr set repository/online/unmaintained=yes
Install the following package containing the UDM integration on the UCS DC Master and every DC Backup:
univention-install univention-sudo-ldap
Make sure that all join scripts are executed (i.e. in the UMC “domain join” module).
Installation on UCS systems
Include the “cool solutions” repository.
Unmaintained repository on UCS 4
Enable the unmaintained repository to make sudo-ldap available:
ucr set repository/online/unmaintained=yes
Install the following package on all systems that should make use of the “sudo” rules defined using the UDM:
univention-install univention-sudo-ldap-host
It’s recommended to use the software distribution functionalities for UCS to make sure the package will be installed on new systems, too. See: Policy-based installation/deinstallation of individual packages via package lists
Delegating authority via UMC/UDM
Now you can set rules in the DC Master either by using the Web interface UMC or the command-line interface UDM.
These are the supported entries:
- Rules have a name and a description
- users can be loginnames or groups
- Individual hostnames can be added to hosts
- It’s recommended to use the full path in the command entry
UMC
The Univention Management Console (UMC) can be used to create, edit and delete sudo LDAP rules.
Once you have logged in UMC, open LDAP Directory in the container: example.com → univention → sudo-ldap (cn=sudo-ldap,cn=univention,dc=example,dc=com).
Add LDAP Object can be used to create new sudo rules. Click +ADD and select Type sudo-rule (see image).
Modifying a sudo rule in UMC (UCS 5.0)
Modifying a sudo rule in UMC (UCS 4.2)
UDM
The command-line interface Univention Directory Manager (UDM) can be now used to add rules to the sudo-ldap container (cn=sudo-ldap,cn=univention,dc=example,dc=com)
udm sudo/rule create --position "cn=sudo-ldap,cn=univention,$(ucr get ldap/base)" --set name="Package Management" --set description="Package handling with apt-get" --set hosts="$(hostname -f)" --set users="mmueller" --set command="/usr/bin/apt-get"
The rule can be later modified as
udm sudo/rule modify --dn "cn=Package Management,cn=sudo-ldap,cn=univention,$(ucr get ldap/base)" --append users="cschmidt" --append hosts="backup"
To show the content of the rule
udm sudo/rule list --dn "cn=Package Management,cn=sudo-ldap,cn=univention,$(ucr get ldap/base)"
The output looks like this:
DN: cn=Package Management,cn=sudo-ldap,cn=univention,dc=example,dc=com
ARG: None
command: /usr/bin/apt-get
users: mmueller
users: cschmidt
hosts: server1.example.com
hosts: backup
name: Package Management
description: Package handling with apt-get
So finally, in this example, a defined user can install some new software:
mmueller@backup:~$ sudo apt-get install cowsay
[sudo] Passwort für mmueller:
[...]
Die folgenden NEUEN Pakete werden installiert:
cowsay
Upgrade from older univention-sudo-ldap package
If you upgraded this cool solution, you might run into the following bug:
https://forge.univention.org/bugzilla/show_bug.cgi?id=57237