LoginSignup
12

More than 5 years have passed since last update.

CentOS 6.5 で OpenLDAP(6)sudoを使用できるユーザーを限定する

Last updated at Posted at 2014-04-21

サーバー設定

OpenLDAPにsudo用スキーマを読み込ませる

cp -a /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema

include /etc/openldap/schema/sudo.schema を設定ファイルに追記する

/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/openssh.schema
include /etc/openldap/schema/sudo.schema

# 接続プロトコル
allow bind_v2

# 管理ファイル
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# TLS設定
#TLSCACertificatePath  /etc/openldap/ssl/cacert.pem
#TLSCertificateFile    /etc/openldap/ssl/server.crt
#TLSCertificateKeyFile /etc/openldap/ssl/server.key

# userPasswordに関するアクセス権
access to attrs=userPassword
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by anonymous auth
    by * none

# その他の属性に対するアクセス権
access to *
    by self write
    by dn="cn=Manager,dc=example,dc=com" write
    by * read

# monitorデータベースに対するアクセス権
database monitor
access to *
    by dn.exact="cn=Manager,dc=example,dc=com" read
    by * none

# データベース設定
database    bdb
suffix      "dc=example,dc=com"
checkpoint  1024 15
rootdn      "cn=Manager,dc=example,dc=com"
rootpw      {SSHA}fCkF7qPmO1cnQsPun1fixcrhCNP+Kerd
directory   /var/lib/ldap

# indexの設定
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

OpenLDAP 設定反映

/etc/init.d/slapd stop
rm -rf /etc/openldap/slapd.d/*
sudo -u ldap slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
/etc/init.d/slapd start

sudoグループ登録用LDIF作成

/etc/openldap/ldif/sudo.ldif
# sudoグループ
dn: ou=SUDOers,dc=example,dc=com
objectClass: organizationalUnit
ou: SUDOers

# sudo defaults
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectclass: top
objectclass: sudoRole
cn: defaults
sudoOption: !root_sudo
sudoOption: !lecture
sudoOption: log_host
sudoOption: log_year
sudoOption: syslog=local3
sudoOption: logfile=/var/log/sudo.log
sudoOption: ignore_dot
sudoOption: ignore_local_sudoers
sudoOption: timestamp_timeout=0

# %wheel
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL

# wheelグループ
dn: cn=wheel,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 9999
cn: wheel
memberUid: takahiko.takeda
memberUid: shinya.yokoyama
memberUid: osamu.inoue

sudoグループをOpenLDAPに登録

ldapadd -x -D "cn=Manager,dc=example.com" -W -f /etc/openldap/ldif/sudo.ldif

サーバー・クライアント設定

sudo設定

/etc/sudo-ldap.conf
uri ldap://192.168.0.10/
sudoers_base ou=SUDOers,dc=example,dc=com
bind_timelimit 120
host 192.168.0.10
base dc=example,dc=com

PAM設定

auth required pam_wheel.so use_uid のコメントを消し、有効化する

/etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

nsswitch設定

sudo使用ユーザーの読み込み順をldap filesの順にする
下記を追記する

/etc/nsswitch.conf
sudoers: ldap files

再起動

キャッシュをクリアするため、再起動する

reboot

確認

rootの全権限を持つユーザーとroot権限を持たないユーザー、それぞれでログインして試してみる

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
12