Hi, I have configured SUDO with OpenLDAP. I have created a group called "sysadm" and assign the below commands which the users belong to this group can execute. Now created a user called "bob" and assign him to this group. When am logging in as bob, and run "sudo -l", its asking me for the password and after i put the correct password its showing me the "sudoCommand" list. But it also executes the command "!/sbin/route" too which he should not able to execute, why its happening? did i do anything wrong.
dn: cn=%sysadm,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: %sysadm sudoUser: %sysadm sudoHost: ALL sudoOption: !authenticate structuralObjectClass: sudoRole entryUUID: d6819d80-5c39-1030-9d7c-19f66ff1c84f creatorsName: cn=Manager,dc=example,dc=com createTimestamp: 20110816095703Z sudoCommand: /sbin/shutdown sudoCommand: /sbin/halt sudoCommand: /sbin/reboot sudoCommand: /sbin/yast sudoCommand: /sbin/yast2 sudoCommand: /sbin/date sudoCommand: /sbin/kill sudoCommand: /usr/bin/killall sudoCommand: /usr/bin/passwd sudoCommand: /bin/su sudoCommand: /bin/rpm sudoCommand: /sbin/ifconfig sudoCommand: /sbin/ifup sudoCommand: !/sbin/route entryCSN: 20110826090949.582253Z#000000#000#000000 modifiersName: cn=manager,dc=example,dc=com modifyTimestamp: 20110826090949Z Regards, Neo On Wed, Aug 10, 2011 at 10:11 AM, pradyumna dash <[email protected]>wrote: > Guys, > > I have a query, lets take a scenario : > > Assume we have 2 servers "Server1" and "Server2" and 2 groups "Admin" and > "ITTech", What is needed is like say when a user "bob" logging > in to "Server1" he will get the group "Admin", but when he logs in to > "Server2" he will get group "ITTech". Also it may vary for different users > like when "Kris" logs in to Server1 he may get a group called "ITTech" and > when he logs in to "Server2" he will get some other group say "Security". > Can it be possible by OpenLDAP ? If this is achieved then we are planning > to have SUDO files based on the grooups. > > It would be great if you can provide me some pointers or how-to. > > Regards, > Neo >
