Jan-Frode Myklebust wrote:
On 2008-09-26, John Summerfield <[EMAIL PROTECTED]> wrote:
Jan-Frode Myklebust wrote:
On 2008-09-25, John Summerfield <[EMAIL PROTECTED]> wrote:
Almost certainly I've missed something, but isn't PAM supposed to be the
glue that ties applications such as sudo to authentication facilities
such as LDAP?
You're missing that the point is to have sudo-configuration in LDAP, not
just authentication. So one central place to manage the "sudoers" for all
your hosts.
d) control who can gain root on a certain box only
Point D requires a local configuration.
It probably depends on what you mean by "gain", but if you can live
with gaining it trough sudo, it doesn't require any local configuration
per host.
sudoUser: @u_sysadmin_netgroup
sudoHost: @some_host_netgroup
sudoCommand: ALL
or more specific to allow "john" to execue /bin/su on the machine
named hostname.example.com:
sudoUser: john
sudoHost: hostname.example.com
sudoCommand: /bin/su
Point C can be addressed with a local group specification, with the
group's membership defined group wide in LDAP.
I don't see why you would want both a local group specification, and
then membership defined group wide in LDAP. And wouldn't those cancel
each other out ?
If the network (or LDAP server) is down?
A golden local configuration that's deployed on the box, and then
customised to cover point D seems close to what's wanted.
I would suggest to distribute your /etc/security/access.conf globally.
No local per host configurations. You would of course sometimes have
That might be appropriate in your environment, but I would not assume
that's universally so. Imagine I'm BigCorp Global Servers, deploying
virtual servers for Dept of Spying, Dept of Having a good time. Likely
there will be common features, some unique to each.
This might be extreme, but that's so as to illustrate the point that
different organisations and different users supported by those
organisations may be very different.
to update it (globally), but quite seldom.
http://directory.fedoraproject.org/wiki/Howto:Netgroups
This doesn't address deploying changed rules for groups, and in
particular a new group with new rules, but that's not necessarily a
problem for everyone.
If you keep your sudo rules in ldap, there's no need to "deploy"
changed rules. They're effective immediately once implemented in the
ldap directory.
I won't assume that's feasible for everyone. On Windows (AD), I do
sometimes need to use the local administrator account.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list