On 2008-09-26, John Summerfield <[EMAIL PROTECTED]> wrote:
> Jan-Frode Myklebust wrote:
>> On 2008-09-25, John Summerfield <[EMAIL PROTECTED]> wrote:
>>> Almost certainly I've missed something, but isn't PAM supposed to be the 
>>> glue that ties applications such as sudo to authentication facilities 
>>> such as LDAP?
>> 
>> You're missing that the point is to have sudo-configuration in LDAP, not
>> just authentication. So one central place to manage the "sudoers" for all
>> your hosts.
>
>>>> > d) control who can gain root on a certain box only
>
> Point D requires a local configuration.

It probably depends on what you mean by "gain", but if you can live
with gaining it trough sudo, it doesn't require any local configuration
per host.

    sudoUser: @u_sysadmin_netgroup
    sudoHost: @some_host_netgroup
    sudoCommand: ALL

or more specific to allow "john" to execue /bin/su on the machine 
named hostname.example.com:

    sudoUser: john
    sudoHost: hostname.example.com
    sudoCommand: /bin/su


> Point C can be addressed with a local group specification, with the 
> group's membership defined group wide in LDAP.

I don't see why you would want both a local group specification, and
then membership defined group wide in LDAP. And wouldn't those cancel 
each other out ?

>
> A golden local configuration that's deployed on the box, and then 
> customised to cover point D seems close to what's wanted.

I would suggest to distribute your /etc/security/access.conf globally.
No local per host configurations. You would of course sometimes have
to update it (globally), but quite seldom.

    http://directory.fedoraproject.org/wiki/Howto:Netgroups

> This doesn't address deploying changed rules for groups, and in 
> particular a new group with new rules, but that's not necessarily a 
> problem for everyone.

If you keep your sudo rules in ldap, there's no need to "deploy"
changed rules. They're effective immediately once implemented in the
ldap directory.


  -jf

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to