HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

[hackajar]

Ubuntu 9.10 (Karmic Koala) SUDO-LDAP Walk-through

Table of Contents:

Background
Assumptions
Server Configuration
Client Configuration
Reference

Background:

There are many threads and documentation regarding inital setup of OpenLDAP with HDB on Ubuntu. However, non fully address enabling SUDO access for users in a 100% LDAP environment (that is, no local UNIX account available). This walk-through should address this lack of documentation.

Assumptions:

1. You have already installed OpenLDAP for Ubuntu Server 9.10 -
   
   • https://help.ubuntu.com/9.10/serverg...ap-server.html
   • http://ubuntuforums.org/showthread.php?t=1313472
   
   
2. Your current "Base" is "dc=example,dc=com"
3. Your LDAP Administrator is "dn=admin,dc=example,dc=com"
4. Your LDAP Server is listening on "127.0.0.1"

Server Configuration

1.) Install sudo-ldap package

I. You will need to drop fully into root mode for this part!

Code:

sudo su

II. Turn off SUDO safety switch

Code:

export SUDO_FORCE_REMOVE=yes

III. Get package

Code:

apt-get install sudo-ldap

IV. Turn on SUDO Safety switch

Code:

export SUDO_FORCE_REMOVE=no

V. Drop back to user-land mode

Code:

exit

2.) Prime LDAP to support SUDO functions with the sudo.schema

I. Create a directory to work out of

Code:

mkdir ~/sudoWork

II. Copy the sudo Schema into the LDAP schema repository

Code:

sudo cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema

III. Create a conversion file for schema

Code:

sudo echo "include /etc/ldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf

IV. Now run the "Schema" to "LDIF" command slapcat

Code:

slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~sudoWork/cn\=sudo.ldif

V. Clean-up outputted file (it will contain items that will break existing database if not removed!)

Code:

vi ~/sudoWork/cn\=sudo.ldif

... And insure top of file looks EXACTLY like this:

Code:

dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo

... And insure bottom of file has ALL of the following removed:
NOTE: Your "Timestamp" line will be different time! This is OK!

Code:

structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z

VI. Now load this schema into the LDAP server

Code:

ldapadd -x -D cn=admin,cn=config -W -f ~/sudoWork/cn\=sudo.ldif

SUPPORT: This is where stuff breaks a lot! You cannot move forward in How-To unless Step 2 is complete! Reply to thread for support help!

VII. Add Sudo Schema Index support
WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your configuration file!

Code:

sudo echo "index    sudoUser    eq" >> /etc/ldap.conf

VIII. Reload your LDAP for changes to take effect

Code:

sudo /etc/init.d/slapd restart

3.) Build and Deploy the SUDO LDAP Container

I. Create the file ~/sudoWork/sudoMaster.ldif ...

Code:

vi ~/sudoWork/sudoMaster.ldif

...And populate it with the following lines:

Code:

dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
serviceSearchDescriptor: sudoers: ou=sudoers,dc=example,dc=com

II. Now convert your old /etc/sudoers configuration into LDAP modules

Code:

sudo su

Code:

SUDOERS_BASE=ou=SUDOers,dc=example,dc=com

Code:

export SUDOERS_BASE

WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!

Code:

perl /usr/share/doc/sudo-ldap/sudoers2ldif /etc/sudoers >> ~/sudoWork/sudoMaster.ldif
exit

III. Now lets load configuration into LDAP

Code:

ldapadd -f ~/sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=example,dc=com -W -x

Client Configuration

1.) Install LDAP Client Configuration

I. Get LibNSS-LDAP package
TIP! Have your LDAP IP, Base Name, Admin Account and Admin Password Handy before executing this command

Code:

sudo apt-get install libnss-ldap

...nCurses based setup screen will ask you information about your LDAP setup
II. Enable LDAP Support in PAM system

Code:

sudo auth-client-config -t nss -p lac_ldap

III. Verify PAM based LDAP Support

Code:

sudo pam-auth-update

NOTE: Skip Step 2 for installation on the LDAP server as we already did this above!
2.) Install sudo-ldap package

I. You will need to drop fully into root mode for this part!

Code:

sudo su

II. Turn off SUDO safety switch

Code:

export SUDO_FORCE_REMOVE=yes

III. Get package

Code:

apt-get install sudo-ldap

IV. Turn on SUDO Safety switch

Code:

export SUDO_FORCE_REMOVE=no

V. Drop back to user-land mode

Code:

exit

3.) Manually setup sudo redirection from /etc/sudoers to LDAP directory

I. Add support for sudo extentions in /etc/ldap.conf
WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!

Code:

sudo echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap.conf

II. Symbolically link Sudo Ldap Config file to main LDAP config file
NOTE: This is not obvious in ANY documentation I have reviewed, only support forums reveled this

Code:

sudo ln -s /etc/ldap.conf /etc/sudo-ldap.conf

III. Add support for sudo / ldap communication in NS Switch configuration
WARNING: Take note of the double ">>" in line, you do NOT want to accidentally blow out your file!

Code:

sudo echo "sudoers: ldap" >> /etc/nsswitch.conf

Reference

OpenLDAP Server Installation Guide (official) https://help.ubuntu.com/9.10/serverg...ap-server.html

HowTo: OpenLDAP and Karmic http://ubuntuforums.org/showthread.php?t=1313472

SUDO LDAP ReadMe File http://www.gratisoft.us/sudo/readme_ldap.html

SUDO LDAP Manual http://www.gratisoft.us/sudo/man/sud..._nsswitch_conf

Can't get sudo to work with ldap http://ubuntuforums.org/showthread.php?t=803212

sudo-ldap: should use alternative config file [patch] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430826

[Squeazer]

Oh wow, great guide! Altough i'm having a problem with step 3 of step 3 . When i tipe in

Code:

ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x

(i deleted ~/ in every entry since it gave me problems) It gives me this result:

Code:

ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x 
Enter LDAP Password:
ldapadd: attributeDescription "dn": (possible missing newline after line 7, entry "ou=SUDOers,dc=prvi-dijak,dc=si"?)
adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si"
ldap_add: Type or value exists (20)
        additional info: objectClass: value #0 provided more than once

Any ideas?


Oh, and a few more issues i noticed:
Problem 1: It said permission denied on:

Code:

sudo echo "index    sudoUser    eq" >> /etc/ldap.conf

so i manually inserted the line (index sudoUser eq) at the end of the file.
Problem 2: You have a typo in the "sudo /etc/init.d/sldap restart" command. Should be like this "sudo /etc/init.d/slapd restart" i assume (slapd instead of sldap).


Great tutorial BTW!!!


EDIT:

My sudoMaster.ldif starts like this:

Code:

dn: ou=SUDOers,dc=prvi-dijak,dc=si
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
serviceSearchDescriptor: sudoers: ou=sudoers,dc=prvi-dijak,dc=si
dn: cn=defaults,ou=SUDOers,dc=prvi-dijak,dc=si
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_reset

I'm guessing there's supposed to be a break somewhere there? Not after serviceSearchDescriptor, that gives a "attribute type undefined" error.

[hackajar]

Try the following:

* Blow out (delete) SudoMaster file
* Create same file again with steps, stopping before the perl command step.
* Run THAT file into ldap (step 3 of 3)
* Run perl command on NEW output file
* Run THAT file into ldap (like in step 3 of 3).

Hopefully this will fix your issue.

P.S. since you already ran master file, you may get a notice that stuff is already added, you can ignore this message if it comes up.

[Squeazer]

Still no go. I get this message:

Code:

ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x
Enter LDAP Password:
adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si"
ldap_add: Undefined attribute type (17)
        additional info: serviceSearchDescriptor: attribute type undefined

P.S. I am running the latest version of OpenLDAP - 2.4

[hackajar]

Ah-ha!

Recheck that everything was done correctly in section 2:II-VI. This error is a result of the sudo scheme not being correctly initialized on the server. It is VERY important that step 2:V is followed to a T.

[Squeazer]

Hmm, will do, could you just give me a command to delete the old scheme from the LDAP server, since when i try to add the new one it prints out:

Code:

ldapadd -x -D cn=admin,cn=config -W -f sudoWork/cn\=sudo.ldif
Enter LDAP Password:
adding new entry "cn=sudo,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.4.1.15953.9.1.1"

Or will ldapadd add the scheme anyway?

[cvalentine02]

Oh wow, great guide! Altough i'm having a problem with step 3 of step 3 . When i tipe in

Code:

ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x

(i deleted ~/ in every entry since it gave me problems) It gives me this result:

Code:

ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x 
Enter LDAP Password:
ldapadd: attributeDescription "dn": (possible missing newline after line 7, entry "ou=SUDOers,dc=prvi-dijak,dc=si"?)
adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si"
ldap_add: Type or value exists (20)
        additional info: objectClass: value #0 provided more than once

I successfully followed the tutorial for setting up SAMBA + LDAP: http://tuxnetworks.blogspot.com/2010...cid-short.html. I made minor mods to allow notebook users to login with locally cached LDAP database while working remotely.

I got the same errors as mentioned above by Squeazer. This is after changing the ldapadd method used to match the tutorial. Not sure if this helps, but the issue may rely in the details of how this was setup.

I had to reinstall sudo & used Squeaker's SUDOers LDAP group. All is fine with this much simpler method. The only real disadvantage is that I must add this to all LDAP clients in order to use the group, but with only a handful of clients, the pain is minimal.