On Tuesday, 3 April 2012 16:52:35 Olivier wrote:

A quite trivial issue I have :

I have installed centralized policy sudo rules in ldap server (I use "schema.OpenLDAP" from "http://www.sudo.ws" ).

I also have configured linux clients to check ldap rules to grant sudo access to certain ressources ( I declared "sudoers_base" in nslcd.conf and "sudoers: ldap" in nsswitch.conf ).

That works, but I'm still not happy :-)

To make it work, I need to authorize reading on the sudoers DIT branch for user, which I would like to avoid ( BTW, normally /etc/sudoers is not readable by users ).

Anyone knows any way to remove sudo rules reading rights to usual users while having rules working for everyone ( I was thinking about an ldap proxy user used to read sudo rules in ldap, but I haven't found how to declare it ) ?

$ man sudoers.ldap|col -b|grep -A5 ROOTBINDDN ROOTBINDDN DN The ROOTBINDDN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as sudoers queries. The password corresponding to the identity should be stored in /etc/ldap.secret. If not specified, the BINDDN identity is used (if any).

Please check your own sudoers.ldap documentation, paths may differ based on compile-time settings (which you can check with sudo -V as root)

Regards, Buchan