SLES12 SSSD local sudo

Hi there,

we need a very basic sudo configuration for our SLES servers.

All users there are connected through ssh are LDAP-Users over sssd.

We need to allow all LDAP-Users to sudo to ALL=(ALL) ALL

Is it possible to set an ldap group to allow all members of these group to do sudo ?

#>visudo

%LDAP-User-SERVERNAMEGROUP ALL=(ALL) ALL

Or do we need to save some sodo shemas in our LDAP Server ?

Thanks Tjll

[QUOTE=tbrinkmann;52185]Hi there,

we need a very basic sudo configuration for our SLES servers.

All users there are connected through ssh are LDAP-Users over sssd.

We need to allow all LDAP-Users to sudo to ALL=(ALL) ALL

Is it possible to set an ldap group to allow all members of these group to do sudo ?

#>visudo

%LDAP-User-SERVERNAMEGROUP ALL=(ALL) ALL

Or do we need to save some sodo shemas in our LDAP Server ?

Thanks Tjll[/QUOTE]

According to this, that should be enough: https://www.suse.com/support/kb/doc/?id=7018675

Thomas

Hi Thomas,

thanks for posting the link but how do I can configure this for using LDAP.

For windows Domain it looks like

%DOMAIN_NAME\GROUP_NAME

What do I need for our LDAP.

The Search_base is ou=NUMBER1, ou=NUMBER2, OU=FIRM, O=GERMANY
plus the group name for the admins ADMIN_GROUP

Do I need to configure the complete tree ?

Thanks Tjll

tbrinkman,

This leads me to ask what LDAP back end you are using, openLDAP or Active Directory for example.

Regardless if your sssd.conf is configured correctly your local groups and your LDAP should both be resolving.

You can test this using standard Linux group tools to test LDAP group name resolution (which should always return the short name, not the distinguished name).

For example, using your provided group name:

~# getent group ADMIN_GROUP

If you get a successful result that name can be used in your sudo rule/policy:

%ADMIN_GROUP ALL=(ALL) ALL

Hope it helps!

– lawrence