2. 科技
  3. openldap权限sudo

openldap权限sudo

it2022-05-05  245
openldap权限sudo

http://pig.made-it.com/ldap-sudoers.htmlhttps://www.lisenet.com/2015/convert-openldap-schema-to-ldif/http://qiita.com/T_Tsan/items/5ea2563450ed2d2ee20fhttp://edo.blog.jp/archives/1538669.html

服务端

yum -y install sudo

sudo-ldap方案

cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema

生成sudo.ldif

echo 'include /etc/openldap/schema/sudo.schema' > /tmp/sudo.conf mkdir /tmp/sudo slaptest -f /tmp/sudo.conf -F /tmp/sudo # vim /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif 替换 dn: cn={0}sudo objectClass: olcSchemaConfig cn: {0}sudo 为 dn: cn=sudo,cn=schema,cn=config objectClass: olcSchemaConfig cn: sudo 删除 structuralObjectClass: olcSchemaConfig entryUUID: bd975dc0-1654-1036-9c97-c37d6a498779 creatorsName: cn=config createTimestamp: 20160924034303Z entryCSN: 20160924034303.121340Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20160924034303Z cp /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif /etc/openldap/schema/sudo.ldif

sudo功能生效

vim /etc/openldap/slapd.conf 添加 include /etc/openldap/schema/sudo.schema rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d systemctl restart slapd

sudoer权限

sudoer.ldif dn: ou=sudoer,dc=suntv,dc=tv ou: sudoer objectClass: top objectClass: organizationalUnit dn: cn=default,ou=sudoer,dc=suntv,dc=tv objectClass: sudoRole cn: defaults sudoOption: requiretty sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin sudoOption: logfile = /var/log/sudo sudoOption: %g01, %g02 !requiretty dn: cn=%g01,ou=sudoer,dc=suntv,dc=tv objectClass: sudoRole cn: %g01 sudoUser: %g01 sudoHost: ALL sudoRunAsUser: ALL sudoOption: !authenticate sudoCommand: ALL sudoCommand: !/bin/su* sudoCommand: !/usr/bin/vim /etc/sudoers* sudoCommand: !/bin/vi /etc/sudoers* sudoCommand: !/usr/sbin/visudo sudoCommand: !/usr/sbin/adduser* sudoCommand: !/usr/sbin/useradd* sudoCommand: !/usr/sbin/userdel* sudoCommand: !/usr/sbin/groupadd* sudoCommand: !/usr/sbin/groupdel* sudoCommand: !/bin/sh sudoCommand: !/bin/bash sudoCommand: !/usr/bin/login # g01组用户禁用su,禁用变更sudo权限,禁用用户组的操作 dn: cn=%g02,ou=sudoer,dc=suntv,dc=tv objectClass: sudoRole cn: %g02 sudoUser: %g02 sudoHost: ALL sudoRunAsUser: ALL sudoOption: !authenticate sudoCommand: ALL sudoCommand: !/bin/su* # g02组用户禁用'sudo su', # ldapdelete -x -W -H ldaps:/// -D cn=manager,dc=suntv,dc=tv ou=sudoer,dc=suntv,dc=tv -r ldapadd -H ldaps:/// -W -x -D cn=manager,dc=suntv,dc=tv -f sudoer.ldif

客户端

/etc/sssd/sssd.conf

[sssd] services = nss, pam, sudo, ssh # add config_file_version = 2 domains = ldap [domain/ldap] debug_level = 9 cache_credentials = True enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = # add ldap_uri = ldaps://master.local,ldaps://slave.local ldap_search_base = dc=suntv,dc=tv ldap_sudo_search_base = ou=Sudoer,dc=suntv,dc=tv # add ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/ca.crt ldap_tls_reqcert = never ldap_id_use_start_tls = false entry_cache_timeout = 600 ldap_network_timeout = 2 [nss] homedir_substring = /home entry_negative_timeout = 20 entry_cache_nowait_percentage = 50 filter_users = root filter_groups = root [pam] [sudo] [autofs] [ssh] [pac]

/etc/nsswitch.conf

sudoers: file sss

禁用su

vim /etc/pam.d/su 去除以下行的注释 auth required pam_wheel.so use_uid

测试

u01

id uid=1001(u01) gid=2001(g01) groups=2001(g01) sudo -l Matching Defaults entries for u01 on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User u01 may run the following commands on this host: (ALL) NOPASSWD: ALL, !/bin/su*, !/usr/bin/vim /etc/sudoers*, !/bin/vi /etc/sudoers*, !/usr/sbin/visudo, !/usr/sbin/adduser*, !/usr/sbin/useradd*, !/usr/sbin/userdel*, !/usr/sbin/groupadd*, !/usr/sbin/groupdel*, !/bin/sh, !/bin/bash, !/usr/bin/login

u04

id uid=1004(u04) gid=2002(g02) groups=2002(g02) sudo -l Matching Defaults entries for u04 on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User u04 may run the following commands on this host: (ALL) NOPASSWD: ALL, !/bin/su* posted on 2016-09-24 11:20 北京涛子 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/liujitao79/p/5902800.html

相关资源:各显卡算力对照表!

专利

最新回复(0)