본문 바로가기

리눅스

[LDAP] OpenLDAP sudo 스키마 설정

반응형

openldap sudo 스키마 설정

sudo 스키마 복사

$ find / -name schema.OpenLDAP

$ cp /usr/share/doc/sudo-1.8.23/schema.OpenLDAP /etc/openldap/schema/sudo.schema
$ ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn | grep sudo
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn={4}sudo,cn=schema,cn=config

sudoschema.ldif 편집

$ vim sudoschema.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
$ ldapadd -Y EXTERNAL -H ldapi:/// -f sudoschema.ldif

sudo.ldif 편집

$ vim sudo.ldif
dn: ou=SUDOers,dc=4wxyz,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
description: sudoers object
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w ldappassword1! -f sudo.ldif

sudo-defaults.ldif 편집

$ vim sudo-defaults.ldif
dn: cn=defaults,ou=SUDOers,dc=4wxyz,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: SUDOers Default values
sudoOption: env_keep+=SSH_AUTH_SOCK
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w ldappassword1! -f sudo-defaults.ldif

sudo-wheel.ldif 편집

$ vim sudo-wheel.ldif
dn: cn=%wheel,ou=SUDOers,dc=4wxyz,dc=com
objectclass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -w ldappassword1! -f sudo-wheel.ldif

wheel 그룹 생성

$ ./91ldapGroupAddv3.sh wheel 10
adding new entry "cn=wheel,ou=Groups,dc=4wxyz,dc=com"
728x90
반응형