On 2008-09-26, John Summerfield <[EMAIL PROTECTED]> wrote:
> Jan-Frode Myklebust wrote:
>> On 2008-09-25, John Summerfield <[EMAIL PROTECTED]> wrote:
>>> Almost certainly I've missed something, but isn't PAM supposed to be the
>>> glue that ties applications such as sudo to authentication facilities
>>> such as LDAP?
>>
>> You're missing that the point is to have sudo-configuration in LDAP, not
>> just authentication. So one central place to manage the "sudoers" for all
>> your hosts.
>
>>>> > d) control who can gain root on a certain box only
>
> Point D requires a local configuration.
It probably depends on what you mean by "gain", but if you can live
with gaining it trough sudo, it doesn't require any local configuration
per host.
sudoUser: @u_sysadmin_netgroup
sudoHost: @some_host_netgroup
sudoCommand: ALL
or more specific to allow "john" to execue /bin/su on the machine
named hostname.example.com:
sudoUser: john
sudoHost: hostname.example.com
sudoCommand: /bin/su
> Point C can be addressed with a local group specification, with the
> group's membership defined group wide in LDAP.
I don't see why you would want both a local group specification, and
then membership defined group wide in LDAP. And wouldn't those cancel
each other out ?
>
> A golden local configuration that's deployed on the box, and then
> customised to cover point D seems close to what's wanted.
I would suggest to distribute your /etc/security/access.conf globally.
No local per host configurations. You would of course sometimes have
to update it (globally), but quite seldom.
http://directory.fedoraproject.org/wiki/Howto:Netgroups
> This doesn't address deploying changed rules for groups, and in
> particular a new group with new rules, but that's not necessarily a
> problem for everyone.
If you keep your sudo rules in ldap, there's no need to "deploy"
changed rules. They're effective immediately once implemented in the
ldap directory.
-jf
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list