Setting Up SUDOers on Ubuntu

📘

Note: SUDOers LDAP is an add-on feature

To enable this feature, contact us at [email protected]. Then, follow the instructions here to get started.

1. Install Foxpass

Follow the instructions on the Ubuntu 18.04 setup page (or the one for your respective Ubuntu version) to get Foxpass installed and working on your host.

2. Install the sudo-ldap package

Install the 'sudo-ldap' package by running this command:

sudo apt-get install sudo-ldap

The command may fail with an error prompting you to set a root password. If so, just run this command and set a new root password:

sudo passwd

Then, re-run the apt-get command to install sudo-ldap.

2. Edit the sudo-ldap.conf file

Open the /etc/sudo-ldap.conf file and edit it like the example. You will need to enter your own binder information and change the sudoers_base variable to use your company's base DN. There are a few other settings you can change in the file like timeouts, debug info, and support for timed SUDOer rules.

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

URI         ldaps://ldap.foxpass.com
BINDDN      cn=sudo-binder,dc=example,dc=com
BINDPW      xxxxxxx

# The amount of time, in seconds, to wait while trying to connect to
# an LDAP server.
bind_timelimit 30
#
# The amount of time, in seconds, to wait while performing an LDAP query.
timelimit 30
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
sudoers_base   ou=SUDOers,dc=example,dc=com
#
# verbose sudoers matching from ldap
sudoers_debug 0
#
# Enable support for time-based entries in sudoers.
sudoers_timed yes

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

You can create a new binder for SUDOer use or repurpose an old one. When copying this file, be sure to enter in your company's info in the sudoers_base entry as well as your SUDOer binder info for BINDDN and BINDPW.

Additionally, you can vary your timeouts for making LDAP requests and enable or disable the "Not Before/After" SUDOer feature.

3. Configure nsswitch.conf file

Add an entry for sudoers in the nsswitch.conf file. The default Foxpass setup allows any user in the 'foxpass-sudo' group to run any sudo command without a password. You can include this default by including the variable files in the nsswitch sudoers entry.

If you'd like LDAP rules to take precedence over the local defaults, put "files" before "ldap" as shown below.

...
sudoers: files ldap
...

NOTE: If you only enter ldap, make sure that your SUDOers connection is working properly. If your SUDOers LDAP connection is misconfigured, you might get locked out of editing the file and won't be able to fix the configuration.

4. Check that everything works

Call sudo -l to see the current configuration for the signed in user. If you are signed in as a Foxpass user, it should reflect the SUDOers information in Foxpass. If you're signed in under a machine account, log out out of the machine and log back in as a Foxpass user.

If you've configured the LDAP SUDOer rules to take precedence over the local ones, you should see the LDAP rules underneath the local rule (by default (ALL : ALL) NOPASSWD: ALL) when running the sudo -l command.

If you're seeing LDAP errors, change the sudoers_debug value to 1 or 2 in the sudo-ldap.conf file. This will then output any connection or parsing errors from the LDAP connection during a sudo operation and is helpful for debugging.