How to Configure SUDO via OpenLDAP Server

Well, in this guide, we are going to demonstrate how to configure SUDO via OpenLDAP Server. Apart from being able to provide sudo rights on a local system, sudo can also be configured via LDAP. Providing SUDO via OpenLDAP eliminates the need to give users sudo privileges via the local system sudoers file.

Configuring SUDO via OpenLDAP Server

In order to configure SUDO via OpenLDAP server, you need to load and enable OpenLDAP sudo schemas. We have addressed this in our previous guide on how to install and setup OpenLDAP on CentOS 8.

Install and Setup OpenLDAP on CentOS 8

Assuming that you have enabled OpenLDAP support for sudo as described in our guide above, proceed with configurations.

Create OpenLDAP SUDOers Organization Unit (ou)

Before you can configure SUDO via OpenLDAP Server, you need to create SUDOers ou on your Organization directory structure.

vim sudoersou.ldif

Replace your domain components and description accordingly.

dn: ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectclass: organizationalunit
ou: SUDOers
description: Kifarunix-demo LDAP SUDO Entry

Update the OpenLDAP database with the SUDOers organizational unit entry above.

ldapadd -Y EXTERNAL -H ldapi:/// -f sudoersou.ldif

Create Defaults Entry on SUDOers OpenLDAP OU

According to sudoers.ldap man pages, sudo first look for the cn=defaults entry in the SUDOers OU. If found, the multi-valued sudoOption attribute is parsed in the same manner as a global Defaults line in /etc/sudoers.

Convert sudoers file to LDAP LDIF

So how do you create the SUDOers default entry with all the necessary sudo attributes? Well, to make this easy, convert your local sudoers file, /etc/sudoers, into OpenLDAP format and modify it to your satisfaction.

• OpenLDAP usually ships with a perl script, sudoers2ldif, that is used to convert sudoers file to OpenLDAP LDIF file.
• It also ships with another tool called, cvtsudoers that can help you achieve the same task as sudoers2ldif script.

Locate the sudoers to OpenLDAP ldif perl script.

find / -iname sudoers2ldif

Well, if you cannot find it, then you can pull it from this Github repository. Click check the raw version and download it as follows;

wget https://raw.githubusercontent.com/lbt/sudo/master/plugins/sudoers/sudoers2ldif

The script simply looks like;

less sudoers2ldif

#!/usr/bin/env perl
#
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller 
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
use strict;
#
# Converts a sudoers file to LDIF format in prepration for loading into
# the LDAP server.
#
# BUGS:
#   Does not yet handle multiple lines with : in them
#   Does not yet remove quotation marks from options
#   Does not yet escape + at the beginning of a dn
#   Does not yet handle line wraps correctly
#   Does not yet handle multiple roles with same name (needs tiebreaker)
#
# CAVEATS:
#   Sudoers entries can have multiple RunAs entries that override former ones,
#	with LDAP sudoRunAs{Group,User} applies to all commands in a sudoRole
my %RA;
my %UA;
my %HA;
my %CA;
my $base=$ENV{SUDOERS_BASE} or die "$0: Container SUDOERS_BASE undefined\n";
my @options=();
my $did_defaults=0;
my $order = 0;
# parse sudoers one line at a time
while (<>){
  # remove comment
  s/#.*//;
  # line continuation
  $_.=<> while s/\\\s*$//s;
  # cleanup newline
  chomp;
  # ignore blank lines
  next if /^\s*$/;
  if (/^Defaults\s+/i) {
    my $opt=$';
    $opt=~s/\s+$//; # remove trailing whitespace
    push @options,$opt;
  } elsif (/^(\S+)\s+([^=]+)=\s*(.*)/) {
    # Aliases or Definitions
    my ($p1,$p2,$p3)=($1,$2,$3);
    $p2=~s/\s+$//; # remove trailing whitespace
    $p3=~s/\s+$//; # remove trailing whitespace
    if ($p1 eq "User_Alias") {
      $UA{$p2}=$p3;
    } elsif ($p1 eq "Runas_Alias") {
      $RA{$p2}=$p3;
    } elsif ($p1 eq "Host_Alias") {
      $HA{$p2}=$p3;
    } elsif ($p1 eq "Cmnd_Alias") {
      $CA{$p2}=$p3;
    } else {
      if (!$did_defaults++){
        # do this once
        print "dn: cn=defaults,$base\n";
        print "objectClass: top\n";
        print "objectClass: sudoRole\n";
        print "cn: defaults\n";
        print "description: Default sudoOption's go here\n";
        print "sudoOption: $_\n" foreach @options;
        printf "sudoOrder: %d\n", ++$order;
        print "\n";
      }
      # Definition
      my @users=split /\s*,\s*/,$p1;
      my @hosts=split /\s*,\s*/,$p2;
      my @cmds= split /\s*,\s*/,$p3;
      @options=();
      print "dn: cn=$users[0],$base\n";
      print "objectClass: top\n";
      print "objectClass: sudoRole\n";
      print "cn: $users[0]\n";
      # will clobber options
      print "sudoUser: $_\n"   foreach expand(\%UA,@users);
      print "sudoHost: $_\n"   foreach expand(\%HA,@hosts);
      foreach (@cmds) {
	if (s/^\(([^\)]+)\)\s*//) {
	  my @runas = split(/:\s*/, $1);
	  if (defined($runas[0])) {
	    print "sudoRunAsUser: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[0]));
	  }
	  if (defined($runas[1])) {
	    print "sudoRunAsGroup: $_\n" foreach expand(\%RA, split(/,\s*/, $runas[1]));
	  }
	}
      }
      print "sudoCommand: $_\n" foreach expand(\%CA,@cmds);
      print "sudoOption: $_\n" foreach @options;
      printf "sudoOrder: %d\n", ++$order;
      print "\n";
    }
  } else {
    print "parse error: $_\n";
  }
}
#
# recursively expand hash elements
sub expand{
  my $ref=shift;
  my @a=();
  # preen the line a little
  foreach (@_){
    # if NOPASSWD: directive found, mark entire entry as not requiring
    s/NOPASSWD:\s*// && push @options,"!authenticate";
    s/PASSWD:\s*// && push @options,"authenticate";
    s/NOEXEC:\s*// && push @options,"noexec";
    s/EXEC:\s*// && push @options,"!noexec";
    s/SETENV:\s*// && push @options,"setenv";
    s/NOSETENV:\s*// && push @options,"!setenv";
    s/LOG_INPUT:\s*// && push @options,"log_input";
    s/NOLOG_INPUT:\s*// && push @options,"!log_input";
    s/LOG_OUTPUT:\s*// && push @options,"log_output";
    s/NOLOG_OUTPUT:\s*// && push @options,"!log_output";
    s/[[:upper:]]+://; # silently remove other tags
    s/\s+$//; # right trim
  }
  # do the expanding
  push @a,$ref->{$_} ? expand($ref,split /\s*,\s*/,$ref->{$_}):$_ foreach @_;
  @a;
}


Create a bash environment variable defining your SUDOers organization unit entry created above.

export SUDOERS_BASE="ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com"

echo $SUDOERS_BASE

Next, convert the /etc/sudoers file into LDAP ldif file to create the required SUDOers ou defaults entry.

perl sudoers2ldif /etc/sudoers > sudoers_defaults.ldif

You can as well use cvtsudoers command to convert the sudoers file to an LDIF format.

cvtsudoers /etc/sudoers -f ldif -o sudoers_defaults.ldif

So what are the contents of the sudoers_defaults.ldif?

cat sudoers_defaults.ldif

dn: cn=defaults,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOrder: 1

dn: cn=root,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 2

dn: cn=%wheel,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 3

As you can see, the sudoers file in LDAP ldif format contains the SUDOers OU, multi-valued sudoOption attributes, the root user cn, and wheel group defined.

Sudo attributes used above:

• sudoOption: Similar to Defaults option in /etc/sudoers file.
  • For example, below are the /etc/sudoers options and how you can use them on LDAP SUDO:
    • NOPASSWD: !authenticate
    • PASSWD: authenticate
    • NOEXEC: noexec
    • EXEC: !noexec
    • SETENV: setenv
    • NOSETENV: !setenv
    • LOG_INPUT: log_input
    • NOLOG_INPUT: !log_input
    • LOG_OUTPUT: log_output
    • NOLOG_OUTPUT: !log_output

• sudoUser: defines a user name, user ID (prefixed with ‘#’), Unix group name or ID (prefixed with ‘%’ or ‘%#’ respectively), user netgroup (prefixed with ‘+’), or non-Unix group name or ID (prefixed with ‘%:’ or ‘%:#’ respectively)
• sudoHost: A hostname, IP address, IP network, or host netgroup (prefixed with a ‘+’) or ALL value to match any host.
• sudoRunAsUser: A username or uid (prefixed with ‘#’) that commands may be run as or a Unix group (prefixed with a ‘%’) or user netgroup (prefixed with a ‘+’) that contains a list of users that commands may be run as. ALL value matches any user.
• sudoCommand: Specifies a fully-qualified Unix command name with optional command line arguments. Use ALL to match any command.

So, before updating the OpenLDAP database with SUDOers configurations, you can modify the SUDOers LDAP ldif file above.

For example, remove the defined root user and wheel group and add the users that you want to assign SUDO rights via LDAP on the remote clients.

Also, remove the sudoOrder attributes.

cat > modified-sudoer2ldif.ldif << 'EOL'
dn: cn=defaults,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Kifarunix-demo SUDO via LDAP
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: env_keep+=SSH_AUTH_SOCK
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin

dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: janedoe
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
EOL

In the above, we created an entry called sudo under the SUDOers ou and assign a user called janedoe SUDO rights to run all commands as any user on any system, which is similar to the line below on /etc/sudoers file.

janedoe ALL=(ALL:ALL) ALL

Note that the user must be existing on the OpenLDAP database.

Update OpenLDAP Database

Next, load the SUDOers configuration into the OpenLDAP database.

ldapadd -Y EXTERNAL -H ldapi:/// -f modified-sudoer2ldif.ldif

If you need to add another user to the role above;

cat > add-to-sudo-role.ldif << 'EOL'
dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: sudoUser
sudoUser: johndoe
EOL

ldapmodify -Y EXTERNAL -H ldapi:/// -f add-to-sudo-role.ldif

To create a different sudo role, say to allow users to run specific commands,see below. The role names can be anything descriptive.

For example, to allow a user called mibeyam to run useradd command only with sudo, create an ldif file like as shown below and update OpenLDAP database.

cat > sudo-specific-cmd.ldif << 'EOL'
dn: cn=cmdrole,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: cmdrole
sudoUser: mibeyam
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: /usr/sbin/useradd
'EOL'

ldapadd -Y EXTERNAL -H ldapi:/// -f sudo-specific-cmd.ldif

Configure LDAP SUDO NOPASSWD

Sometimes you may want to allow some users to run SUDO command without ldap-sudo-nopasswd being prompted for password.

For this, you can use the NOPASSWD OpenLDAP SUDO option, !authenticate with the sudoOption attribute. See example below

dn: cn=koromicha,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: koromicha
objectclass: top
objectclass: sudoRole
sudocommand: ALL
sudohost: ALL
sudooption: !authenticate
sudorunasuser: ALL
sudouser: koromicha

This user, will then run all the SUDO commands with no password.

To list the SUDOers OU, simply run;

export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com

ldapsearch -b "$SUDOERS_BASE" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x sudoUser

Configure OpenLDAP Client to Provide SUDO rights

To test and confirm the provision of SUDO by OpenLDAP, setup a client to authentication via OpenLDAP. In this demo, we are using SSSD on an Ubuntu 18.04 system to provide LDAP authentication.

So first login to an Ubuntu 18.04 system and setup client authentication as follows.

apt update

Install SSSD and other required packages.

apt install sssd libpam-sss libnss-sss vim sssd-tools libsss-sudo

Create SSSD configuration file with the following content.

vim /etc/sssd/sssd.conf

Replace the values of ldap_default_bind_dn and ldap_default_authtok with your Bind DN and its password. Also, replace the Base DN, LDAP URI, SUDOers search base,and ldap filter accordingly.

[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://ldapmaster.kifarunix-demo.com:636
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssWord
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

Copy the CA certificate from the LDAP server.

openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text

Store it on the specified file above, /etc/ssl/certs/ldapcert.crt. You can use a different file if you like.

vim /etc/ssl/certs/cacert.crt

-----BEGIN CERTIFICATE-----
MIID0TCCArmgAwIBAgIUQnXoL0eVw1STAXFBjKwNobOMtJ8wDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxEDAOBgNVBAcMB05h
....
...
FG4/H6F0CAD/ksl4w8aEP0JrdZsDxwmGv8GoM6fVI/3qcv2pD/+Fjif0GRcb7V6g
NsyGrEWBFOD+IrMDIm7KvTBEBJbc
-----END CERTIFICATE-----

Open the /etc/ldap/ldap.conf and set the location of the CA certificate file copied from the OpenLDAP server.

vim /etc/ldap/ldap.conf

...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT       /etc/ssl/certs/cacert.crt

Define the LDAP SUDOers search base.

echo "sudoers_base ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com" >> /etc/ldap/ldap.conf

Set the read/write access to /etc/sssd/ for the owner (root).

chmod 600 -R /etc/sssd

Restart SSSD service

systemctl restart sssd

Enable Auto Create User's Home Directory

Configure Pluggable Authentication Module (PAM) to automatically create user’s home directory on first login.

This can be achieved by editing the /etc/pam.d/common-session configuration file as follows;

vim /etc/pam.d/common-session

Add the line below just after the line, session optional pam_sss.so.

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

...
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so 
session optional pam_sss.so 
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_systemd.so 
# end of pam-auth-update config

Save and quit the configuration.

Also, ensure that /etc/nsswitch.conf has this line;

sudoers:        files sss

Assigning User SUDO rights on Specific Host

It is also possible to assign a user sudo rights on a specific host. For example, if I have a user called johndoe in my OpenLDAP database and I want this user to only run commands with sudo on the host, john.kifarunix-demo.com, then I would create an entry like below in my OpenLDAP server.

dn: cn=john,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: john
objectclass: top
objectclass: sudoRole
sudocommand: ALL
sudohost: john.kifarunix-demo.com
sudorunasuser: ALL
sudouser: johndoe

If this user authenticates to a system whose hostname is john.kifarunix-demo.com, then he can execute any command with sudo, otherwise, they cannot have sudo rights on any other system.

Testing OpenLDAP Authentication on Ubuntu 18.04

To confirm that you can now login to your system via an LDAP user using SSSD, simply run local ssh authentication using your OpenLDAP user. Check how to add users on our guide of setting up OpenLDAP provided above.

ssh janedoe@localhost

As you login, note the line, Creating directory '/home/janedoe'.

janedoe@localhost's password: 
Creating directory '/home/janedoe'.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sun Dec  8 11:52:56 2019 from ::1
janedoe@ubuntu18:~$

pwd

/home/janedoe

id

uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)

Verify SUDO Privileges

You can now try to run various commands with sudo to confirm that you actually have the sudo rights provided by OpenLDAP.

sudo su -

janedoe@ubuntu18:~$ sudo su -
 [sudo] password for janedoe: 
 root@ubuntu18:~#

Now, login again as user with no sudo rights given.

ssh johndoe@localhost

johndoe@ubuntu18:~$ sudo su -
[sudo] password for johndoe: 
johndoe is not allowed to run sudo on ubuntu18.  This incident will be reported.
johndoe@ubuntu18:~$

Verifying host based sudo rights

ssh -l johndoe 192.168.56.160

[email protected]'s password: 
Creating directory '/home/johndoe'.
...
...
Last login: Tue Jan 21 16:50:58 2020 from 127.0.0.1
johndoe@jane:~$ hostname
jane.kifarunix-demo.com

Note the hostname of the system above.

johndoe@jane:~$ sudo su -
[sudo] password for johndoe: 
johndoe is not allowed to run sudo on jane.  This incident will be reported.

Login as administrative user and change the hostname to john.kifarunix-demo.com.

johndoe@john:~$ hostname
john.kifarunix-demo.com
johndoe@john:~$ sudo su -
[sudo] password for johndoe: 
root@john:~#

Hurray!! You have successfully configured OpenLDAP server to provide SUDO. Say goodbye to having to assign sudo rights to users on a local system. That brings us to the end of our guide.

Reference:

sudoers ldap manual pages

Related Tutorials

How to Create OpenLDAP Member Groups

Add FreeIPA User Accounts via CLI or Web Interface

Install and Setup FreeIPA Server on CentOS 8

How to Install FreeIPA Server on Fedora 29/Fedora 28/CentOS 7

Run only Specific Commands with sudo in Linux

How to Add Users to sudo group in Linux