Setting Up SUDOers on Ubuntu
Note: SUDOers LDAP is an add-on feature
To enable this feature, contact us at [email protected]. Then, follow the instructions here to get started.
1. Install Foxpass
Follow the instructions on the Ubuntu 18.04 setup page (or the one for your respective Ubuntu version) to get Foxpass installed and working on your host.
2. Install the sudo-ldap package
Install the 'sudo-ldap' package by running this command:
sudo apt-get install sudo-ldap
The command may fail with an error prompting you to set a root password. If so, just run this command and set a new root password:
sudo passwd
Then, re-run the apt-get
command to install sudo-ldap
.
2. Edit the sudo-ldap.conf file
Open the /etc/sudo-ldap.conf
file and edit it like the example. You will need to enter your own binder information and change the sudoers_base
variable to use your company's base DN. There are a few other settings you can change in the file like timeouts, debug info, and support for timed SUDOer rules.
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI ldaps://ldap.foxpass.com
BINDDN cn=sudo-binder,dc=example,dc=com
BINDPW xxxxxxx
# The amount of time, in seconds, to wait while trying to connect to
# an LDAP server.
bind_timelimit 30
#
# The amount of time, in seconds, to wait while performing an LDAP query.
timelimit 30
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
sudoers_base ou=SUDOers,dc=example,dc=com
#
# verbose sudoers matching from ldap
sudoers_debug 0
#
# Enable support for time-based entries in sudoers.
sudoers_timed yes
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
You can create a new binder for SUDOer use or repurpose an old one. When copying this file, be sure to enter in your company's info in the sudoers_base entry as well as your SUDOer binder info for BINDDN and BINDPW.
Additionally, you can vary your timeouts for making LDAP requests and enable or disable the "Not Before/After" SUDOer feature.
3. Configure nsswitch.conf file
Add an entry for sudoers in the nsswitch.conf file. The default Foxpass setup allows any user in the 'foxpass-sudo' group to run any sudo command without a password. You can include this default by including the variable files
in the nsswitch sudoers entry.
If you'd like LDAP rules to take precedence over the local defaults, put "files" before "ldap" as shown below.
...
sudoers: files ldap
...
NOTE: If you only enter ldap
, make sure that your SUDOers connection is working properly. If your SUDOers LDAP connection is misconfigured, you might get locked out of editing the file and won't be able to fix the configuration.
4. Check that everything works
Call sudo -l
to see the current configuration for the signed in user. If you are signed in as a Foxpass user, it should reflect the SUDOers information in Foxpass. If you're signed in under a machine account, log out out of the machine and log back in as a Foxpass user.
If you've configured the LDAP SUDOer rules to take precedence over the local ones, you should see the LDAP rules underneath the local rule (by default (ALL : ALL) NOPASSWD: ALL
) when running the sudo -l command.
If you're seeing LDAP errors, change the sudoers_debug
value to 1 or 2 in the sudo-ldap.conf file. This will then output any connection or parsing errors from the LDAP connection during a sudo operation and is helpful for debugging.
Updated 11 months ago