Hi there,
we need a very basic sudo configuration for our SLES servers.
All users there are connected through ssh are LDAP-Users over sssd.
We need to allow all LDAP-Users to sudo to ALL=(ALL) ALL
Is it possible to set an ldap group to allow all members of these group to do sudo ?
#>visudo
%LDAP-User-SERVERNAMEGROUP ALL=(ALL) ALL
Or do we need to save some sodo shemas in our LDAP Server ?
Thanks Tjll
[QUOTE=tbrinkmann;52185]Hi there,
we need a very basic sudo configuration for our SLES servers.
All users there are connected through ssh are LDAP-Users over sssd.
We need to allow all LDAP-Users to sudo to ALL=(ALL) ALL
Is it possible to set an ldap group to allow all members of these group to do sudo ?
#>visudo
%LDAP-User-SERVERNAMEGROUP ALL=(ALL) ALL
Or do we need to save some sodo shemas in our LDAP Server ?
Thanks Tjll[/QUOTE]
According to this, that should be enough: https://www.suse.com/support/kb/doc/?id=7018675
Thomas
Hi Thomas,
thanks for posting the link but how do I can configure this for using LDAP.
For windows Domain it looks like
%DOMAIN_NAME\GROUP_NAME
What do I need for our LDAP.
The Search_base is ou=NUMBER1, ou=NUMBER2, OU=FIRM, O=GERMANY
plus the group name for the admins ADMIN_GROUP
Do I need to configure the complete tree ?
Thanks Tjll
tbrinkman,
This leads me to ask what LDAP back end you are using, openLDAP or Active Directory for example.
Regardless if your sssd.conf is configured correctly your local groups and your LDAP should both be resolving.
You can test this using standard Linux group tools to test LDAP group name resolution (which should always return the short name, not the distinguished name).
For example, using your provided group name:
~# getent group ADMIN_GROUP
If you get a successful result that name can be used in your sudo rule/policy:
%ADMIN_GROUP ALL=(ALL) ALL
Hope it helps!
– lawrence