반응형
openldap sudo 스키마 설정
sudo 스키마 복사
$ find / -name schema.OpenLDAP
$ cp /usr/share/doc/sudo-1.8.23/schema.OpenLDAP /etc/openldap/schema/sudo.schema
$ ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn | grep sudo
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn={4}sudo,cn=schema,cn=config
sudoschema.ldif 편집
$ vim sudoschema.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
$ ldapadd -Y EXTERNAL -H ldapi:/// -f sudoschema.ldif
sudo.ldif 편집
$ vim sudo.ldif
dn: ou=SUDOers,dc=4wxyz,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
description: sudoers object
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w ldappassword1! -f sudo.ldif
sudo-defaults.ldif 편집
$ vim sudo-defaults.ldif
dn: cn=defaults,ou=SUDOers,dc=4wxyz,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: SUDOers Default values
sudoOption: env_keep+=SSH_AUTH_SOCK
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w ldappassword1! -f sudo-defaults.ldif
sudo-wheel.ldif 편집
$ vim sudo-wheel.ldif
dn: cn=%wheel,ou=SUDOers,dc=4wxyz,dc=com
objectclass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w ldappassword1! -f sudo-wheel.ldif
wheel 그룹 생성
$ ./91ldapGroupAddv3.sh wheel 10
adding new entry "cn=wheel,ou=Groups,dc=4wxyz,dc=com"
728x90
반응형
'리눅스' 카테고리의 다른 글
[LDAP] OpenLDAP cert(TLS/SSL) 적용 시 에러 (0) | 2021.06.24 |
---|---|
Zabbix 로그 파일 시간 형식(Log time format) (0) | 2021.06.24 |
OpenSSL을 사용하여 자체 서명된 SSL 인증서와 개인 키를 생성하는 방법(openssl) (0) | 2021.06.22 |
[LDAP] OpenLDAP 서버 이전 (0) | 2021.06.17 |
특정 계정이나 그룹(wheel 그룹)에서 su 명령어 사용을 제한하는 방법 (0) | 2021.06.16 |