Setting Up SUDOers on CentOS

📘

Note: SUDOers LDAP is an add-on feature

To enable this feature, contact us at [email protected]. Then, follow the instructions here to get started.

1. Install Foxpass

Follow the instructions on the CentOS 7 setup page to get Foxpass installed and working on your host.

2. Edit the ldap.conf file

Open the /etc/openldap/ldap.conf file for editing.
Add the line SUDOERS_BASE ou=SUDOers,dc=example,dc=com, substituting your own organization's dn.

...
URI ldaps://ldap.foxpass.com
BASE dc=example,dc=com
SUDOERS_BASE ou=SUDOers,dc=example,dc=com
...

3. Edit the sssd.conf file

Open the /etc/sssd/sssd.conf file for editing and add these 3 lines:

  1. Add ldap_sudo_search_base ou=SUDOers,dc=<example>,dc=com
  2. Add sudo to sssd services
  3. Add a [sudo] section
  4. (Optional) Add a sudo_timed = true option if you'd like to use the SUDOers "Not Before/After" time bound features
  5. (Optional) Set ldap_sudo_full_refresh_interval and ldap_sudo_smart_refresh_interval values to change the sudo refresh intervals from their defaults

Full instructions can be found here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-ldap-sudo

...
ldap_search_base = dc=example,dc=com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
ldap_sudo_full_refresh_interval = 21600  # optional: in minutes, default is 6 hours
ldap_sudo_smart_refresh_interval = 900  # optional: in minutes, default is 15 minutes
...

...
[sssd]
services = nss, pam, autofs, sudo
...

...
[sudo]
sudo_timed = true  # optional
...

4. Edit the nsswitch.conf file

Open the /etc/nsswitch.conf file for editing.
Add the line sudoers: files sss.

...
sudoers: files sss
...

This line means that your local sudo files will take precedence over the remote LDAP sudo rules. It's generally recommended to keep this ordering, as a misconfigured LDAP connection can result in sudo lockouts.

5. Restart sssd

Restart the sssd service for your settings to take effect.

sudo service sssd restart

6. Check that everything works

Run sudo -l to see the current configuration for the signed in user. If you are signed in as a Foxpass user, it should reflect the SUDOers information in Foxpass. If you're signed in under a machine or local account, log out out of the machine and log back in as a Foxpass user.

7. Caching tips

Unlike Ubuntu, Centos caches remote sudo rules instead of requesting them from the LDAP server on demand. This way, sudo can continue to function in case of an LDAP outage and keep using the sudo rules in the cache.

The host will poll LDAP on two separate schedules. By default, it will smart refresh and check for created or updated rules every 15 minutes. It will also full refresh and pull all created, updated, and deleted rules every 6 hours. It is because of this that you won't see changes in Foxpass reflected on the host until up to 15 minutes later.

You can change the refresh times in step 3 by specifying a different value (in minutes). Do know that the smart refresh value must be lower than the full refresh value. As of right now, Foxpass will return all rules during a smart refresh instead of just the modified rules. We aim to only return the modified rules in the future.

If you don't want to wait for the cache to refresh, you can run sss_cache -R to clear out the sudo rules cache from sssd.

Run sss_cache -R to clear out the sudo rules cache from sssd.