Configuring LDAP-based sudo Authentication

Overview

sudo is an application that allows users to obtain root or administrator permissions on Linux. sudo can be configured in multiple ways. You can set up a sudo on a local computer or server, or set up a centralized sudo via third-party software. In this section, an OpenLDAP server is used to set up a centralized sudo. In this way, you can manage users and sudo permissions centrally on the OpenLDAP server to allow faster installation on the client side. Any SSSD service on the client configured with a sudo authentication source allows OpenLDAP users to execute sudo.

Prerequisites

• A yum repository has been configured. For details about how to configure a yum repository accessed over the Internet, see Configuring Repositories and Installing Software for HCE.
• The OpenLDAP server and client have been deployed.
• The SSSD service has been installed and configured on the client.

Procedure

1. Import the sudo schema.
   1. Create the /etc/openldap/schema/sudo.schema file on the OpenLDAP server and write the following content to the file:

      # OpenLDAP schema file for Sudo
      # Save as /etc/openldap/schema/sudo.schema and restart slapd.
      # For a version that uses online configuration, see schema.olcSudo.
      #
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.1
          NAME 'sudoUser'
          DESC 'User(s) who may  run sudo'
          EQUALITY caseExactIA5Match
          SUBSTR caseExactIA5SubstringsMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.2
          NAME 'sudoHost'
          DESC 'Host(s) who may run sudo'
          EQUALITY caseExactIA5Match
          SUBSTR caseExactIA5SubstringsMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.3
          NAME 'sudoCommand'
          DESC 'Command(s) to be executed by sudo'
          EQUALITY caseExactIA5Match
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.4
          NAME 'sudoRunAs'
          DESC 'User(s) impersonated by sudo (deprecated)'
          EQUALITY caseExactIA5Match
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.5
          NAME 'sudoOption'
          DESC 'Options(s) followed by sudo'
          EQUALITY caseExactIA5Match
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.6
          NAME 'sudoRunAsUser'
          DESC 'User(s) impersonated by sudo'
          EQUALITY caseExactIA5Match
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.7
          NAME 'sudoRunAsGroup'
          DESC 'Group(s) impersonated by sudo'
          EQUALITY caseExactIA5Match
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.8
          NAME 'sudoNotBefore'
          DESC 'Start of time interval for which the entry is valid'
          EQUALITY generalizedTimeMatch
          ORDERING generalizedTimeOrderingMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.9
          NAME 'sudoNotAfter'
          DESC 'End of time interval for which the entry is valid'
          EQUALITY generalizedTimeMatch
          ORDERING generalizedTimeOrderingMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
       
      attributetype ( 1.3.6.1.4.1.15953.9.1.10
          NAME 'sudoOrder'
          DESC 'an integer to order the sudoRole entries'
          EQUALITY integerMatch
          ORDERING integerOrderingMatch
          SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
       
      objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
          DESC 'Sudoer Entries'
          MUST ( cn )
          MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
                sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $
                sudoNotAfter $ description )
          )

   2. Create a conversion configuration file.

      cat > ./schema_conv.conf << EOL
      include /etc/openldap/schema/sudo.schema
      EOL

   3. Convert the schema into an LDIF file.

      mkdir /tmp/ldif
      slaptest -f ./schema_conv.conf -F /tmp/ldif/

   4. Copy the LDIF file to the schema directory.

      cp /tmp/ldif/cn\=config/cn\=schema/cn\=\{0\}sudo.ldif /etc/openldap/schema/sudo.ldif

   5. Open sudo.ldif and change the values of dn and cn, as shown in the following figure.

      

      Delete the following lines at the end of the file (the line content is for reference only):

      structuralObjectClass: olcSchemaConfig
      entryUUID: b1d84e62-d5fa-103f-92ae-45f3b9c81bd2
      creatorsName: cn=config
      createTimestamp: 20250605014651Z
      entryCSN: 20250605014651.004275Z#000000#000#000000
      modifiersName: cn=config
      modifyTimestamp: 20250605014651Z

   6. Modify the file permissions.

      chown ldap:ldap /etc/openldap/schema/sudo.ldif

   7. Import the schema to LDAP so that LDAP can support sudo configuration.

      ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/sudo.ldif
      systemctl restart slapd

2. Create an organizational unit sudoers.
   1. On the OpenLDAP client, create the sudoers.ldif file and write the following content to the file:

      dn: ou=sudoers,dc=huawei,dc=com
      objectClass: organizationalUnit
      objectClass: top
      ou: sudo
      description: Default ou for SUDO
      
      dn: cn=defaults,ou=sudoers,dc=huawei,dc=com
      objectClass: sudoRole
      objectClass: top
      cn: defaults
      sudoHost: ALL
      sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
      

      An organizational unit sudoers will be created, with default settings.

      

      The domain name and default sudo settings are examples only. You can modify the file content as needed.

   2. Add sudoers settings to the LDAP server.

      ldapadd -x -D cn=Manager,dc=huawei,dc=com -W -f sudoers.ldif

      

      Change the administrator account in the command based on the actual OpenLDAP deployment.

3. Add an OpenLDAP user to the sudoers organizational unit.
   1. To add an existing OpenLDAP user (for example, test1) to sudoers, create the user_add.ldif file and write the following content to the file:

      dn: cn=test1,ou=sudoers,dc=huawei,dc=com
      objectClass: sudoRole
      objectClass: top
      cn: test1
      sudoCommand: ALL
      sudoHost: ALL
      sudoRunAsUser: ALL
      sudoUser: test1
      

      To add a new OpenLDAP user (for example, test2) to sudoers by default when the user is created, create the user_add.ldif file and write the following content to the file:

      dn: uid=test2,ou=People,dc=huawei,dc=com
      objectClass: inetOrgPerson
      objectClass: posixAccount
      objectClass: shadowAccount
      cn: test2
      sn: temp
      userPassword: {SSHA}cDG5NuQd+rYn6rWh1r5UnysUOwJlt1uk
      loginShell: /bin/bash
      uidNumber: 2000
      gidNumber: 2000
      homeDirectory: /home/test2
      shadowLastChange: 0
      shadowMax: 0
      shadowWarning: 0
      
      dn: cn=test2,ou=Group, dc=huawei,dc=com
      objectClass: posixGroup
      cn: test2
      gidNumber: 2000
      memberUid: test2
      
      dn: cn=test2,ou=sudoers, dc=huawei,dc=com
      objectClass: sudoRole
      objectClass: top
      cn: test2
      sudoCommand: ALL
      sudoHost: ALL
      sudoRunAsUser: ALL
      sudoUser: test2
      

      

      Change the home directory, username, uidNumber, gidNumber, userPassword, sudo configuration items, and other information as needed. You can run slappasswd to generate a value for userPassword.

   2. Add configurations to the OpenLDAP server.

      ldapadd -x -D cn=Manager,dc=huawei,dc=com -W -f user_add.ldif

4. Perform configurations on the client.
   1. Add the following configuration to /etc/nsswitch.conf so that the SSSD service can manage sudoers configurations:

      sudoers: files sss

      Result:

      

   2. Modify the following information in bold in the /etc/sssd/sssd.conf file:

      [domain/ldap]
      enumerate= False
      ldap_schema = rfc2307bis
      autofs_provider = ldap
      cache_credentials = False
      ldap_search_base = dc=huawei,dc=com
      id_provider = ldap
      auth_provider = ldap
      chpass_provider = ldap
      ldap_sudo_search_base = ou=sudoers,dc=huawei,dc=com
      sudo_provider = ldap
      ldap_uri = ldaps://huawei.com
      ldap_tls_reqcert = allow
      ldap_tls_cacertdir = /etc/openldap/ssl
      ldap_search_timeout = 90
      ldap_network_timeout = 90
      timeout = 30
      ldap_id_use_start_tls = false
      
      [sssd]
      services = nss, pam, sudo
      domains = ldap
      
      [nss]
      homedir_substring = /home
      

      Result:

      

      

      Modify the fields such as domains in the [domain/ldap] and sssd as needed.

   3. Clear the SSSD cache and restart the SSSD service.

      systemctl stop sssd
      sss_cache -E
      systemctl restart sssd

5. Verify sudo commands.
   1. Log in using an OpenLDAP user (for example, test1) and run sudo -l. Expected result: