sudo + sssd + ldap

In my quest to implement sssd, my focus turned towards sudo.  Centralizing the sudo rules to an LDAP server (or cluster) simplifies management of users and access.  Rather than /etc/sudoers files on each machine, sudo can look in to LDAP for a specific user’s rules.

The path of a query is:
sudo command requested -> network service switch -> sssd -> sssd_sudo -> ldap

OpenLDAP does not have the schema installed by default, and many have converted to the slapd.d configuration file format which leaves a lot to be desired. You have to take the sudoers.schema file and convert it to slapd.d format (I’ve converted it, so if you just want to use this file, feel free), which comes out like this (name your file accordingly) /etc/openldap/slapd.d/cn=config/cn=schema/cn={6}sudoers.ldif.

Of course, with any schema change you need to restart ldap:

systemctl restart slapd

Next, the local /etc/sudoers file needs to be converted and then imported.  There’s a helpful utility that comes with the sudo rpm called sudoers2ldif.  It does a good job at getting your started, and you must keep in mind that the resulting ldif file will need manual adjusting before importing:

sudo SUDOERS_BASE=ou=SUDOers,dc=company,dc=com perl
/usr/share/doc/sudo*/sudoers2ldif /etc/sudoers > /tmp/sudoers.ldif

Again, be sure to look the file over and remove any unusual entries.  Also, add the SUDOers ou definition to the top of the file:

dn: ou=SUDOers,dc=company,dc=com
description: SUDOers
objectclass: organizationalUnit
objectclass: top
ou: SUDOers

With the file cleaned up and the ou defined, import the ldif file.  With it imported, the data is there, but nothing is using it.

Update /etc/sssd/sssd.conf to include “sudo” in the services line for the [sssd] stanza, and at the end of the file create a blank [sudo] stanza.  Restart sssd.

systemctl restart sssd

Update nsswitch.conf to include the line:

sudoers: files sss

Remove all sudo entries from /etc/sudoers for users with a UID >= 1000. Those are now handled via LDAP ,and all of the other entries (for users with a UID < 1000) will be managed by the local /etc/sudoers file.  This is a limitation hardcoded in sssd that cannot be overridden.

Leave a Reply