Centralized SUDO with FreeIPA

Posted on by

P is for Policy.  One aspect of policy management that has the potential to be the killer feature is centralized SUDO.

The Server side of SUDO is broken into three parts.  A Sudo Command maps to the action you wish to allow a user to perform via sudo.  For example, if a user needs the ability to read the apache server error log:

sudo less /var/log/httpd/error.log

The next instance is a command group.  This is a means to join the two commands listed above into a single entity for management.  The last entity is the SUDO rule itself, where the command group is associated with the people that can execute, the set of servers they can execute it on, and the users they can impersonate when they run the command.

I’m not going to walk through how to set this up from the command line, as the developers did a pretty good job of doing so for the Test Day. However, if you read through that script, you might think that the client set up is a little manual labor intensive.  I did.  So I made a crude hack to automate the process.

WARNING:  Don’t blindly run this script

Take a look at the script before running.  While I’ve tried to make a poor-man’s revision control work in there, there is no guarantee that it won’t mess up your system with no way to get back to stable.  So, you’ve been warned.  This script is something that will, eventually, morph into a stable product, but we’re a bit of a way from that.

One thing I know is wrong is that I just step on the nss_ldap.conf file, which doesn’t exist on my machine, but might on yours.

 


#!/bin/bash
BASEDN=`awk '/basedn/ {print $3}' < /etc/ipa/default.conf`
IPASERVER=`awk '/server/ {print $3}' < /etc/ipa/default.conf`
DOMAIN=`awk '/domain/ {print $3}' < /etc/ipa/default.conf`


CONFDIR=`mktemp -d`
BACKUPDIR=/tmp/etcbackup

mkdir -p $CONFDIR/etc/sssd
mkdir -p $CONFDIR/etc/rc.d/
cp  /etc/sssd/sssd.conf $CONFDIR/etc/sssd
cp  /etc/nsswitch.conf  $CONFDIR/etc
cp  /etc/rc.d/rc.local $CONFDIR/etc/rc.d/rc.local

mkdir -p $BACKUPDIR/etc/sssd
mkdir -p $BACKUPDIR/etc/rc.d/
cp  /etc/sssd/sssd.conf $BACKUPDIR/etc/sssd
cp  /etc/nsswitch.conf  $BACKUPDIR/etc
cp  /etc/rc.d/rc.local  $BACKUPDIR/etc/rc.d/rc.local
cp /etc/nss_ldap.conf   $BACKUPDIR/etc/nss_ldap.conf
cp /etc/ldap.conf       $BACKUPDIR/etc/ldap.conf

BINDUID=$1
BINDPASS=$2

usage(){
        echo " usage $0 uid password"
}

if [ -z ""$BINDUID ] ||  [ -z ""$BINDPASS ]
then
        usage
        exit 1
fi

# this will go into /etc/nsswitch.conf
echo        sudoers:    ldap   >>  $CONFDIR/etc/nsswitch.conf

#this will go into sssd.conf

awk -v basedn=$BASEDN '{print $0 } /^ipa_server/ { print "ldap_netgroup_search_base = cn=ng,cn=compat,"basedn  }'  <  $CONFDIR/etc/sssd/sssd.conf > $CONFDIR/etc/sssd/sssd.conf.new

mv $CONFDIR/etc/sssd/sssd.conf.new $CONFDIR/etc/sssd/sssd.conf

#this will go in /etc/nss_ldap.conf
cat > $CONFDIR/etc/nss_ldap.conf << END_TEXT
           sudoers_base ou=SUDOers,$BASEDN
           binddn uid=$BINDUID,cn=users,cn=accounts,$BASEDN
           bindpw $BINDPASS
           ssl start_tls
           tls_cacertfile /etc/ipa/ca.crt
           tls_checkpeer yes
           bind_timelimit 5
           timelimit 15
           uri ldap://$IPASERVER
END_TEXT


ln -s $CONFDIR/etc/nss_ldap.conf $CONFDIR/etc/ldap.conf

#TODO handle nslcd.conf for newer systems

echo nisdomainname $DOMAIN >> $CONFDIR/etc/rc.d/rc.local


cp  $CONFDIR/etc/sssd/sssd.conf /etc/sssd
cp  $CONFDIR/etc/nsswitch.conf  /etc
cp  $CONFDIR/etc/rc.d/rc.local  /etc/rc.d/rc.local
cp  $CONFDIR/etc/nss_ldap.conf  /etc
cp  $CONFDIR/etc/ldap.conf      /etc


rm -rf $CONFDIR

echo execute these commands:
echo nisdomainname $DOMAIN
echo service sssd restart

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.