Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
Best regards, Kenneth Holter
We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.
-- juniper
----- Original Message ----- From: "Kenneth Holter" kenneho.ndu@gmail.com To: fedora-directory-users@redhat.com Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
Best regards, Kenneth Holter -- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Not to digress too much off topic here, but I'm not sure about your comment on using groups- we've organized privileges into entry's like this:
cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com sudoHost: sasapp*.prod.foo.com objectClass: sudoRole objectClass: top sudoCommand: /bin/su sas sudoCommand: /bin/su - sas sudoUser: %reporting sudoUser: %datawarehouse cn: reporting_admin_on_sas
Note that you can have N number of sudoCommand|sudoUser entry's, so you can organize this CN around what the people in these groups need todo on this box.
One of my co-workers wrote a script that exports the sudo entries in the directory to /etc/sudoers to handle the case of legacy machines that are too old or broken to have native sudo ldap lookups (of course they still need to be able to lookup uid's/gid's in the directory for this to work).
On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross across@itasoftware.com wrote:
We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.
-- juniper
----- Original Message ----- From: "Kenneth Holter" kenneho.ndu@gmail.com To: fedora-directory-users@redhat.com Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
Best regards, Kenneth Holter -- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
-- juniper
----- Original Message ----- From: "Doug Chapman" prjctgeek@gmail.com To: "General discussion list for the 389 Directory server project." fedora-directory-users@redhat.com Sent: Wednesday, December 30, 2009 6:48:16 PM GMT -05:00 US/Canada Eastern Subject: Re: [389-users] /etc/sudoers VS sudo-objects in directory server
Not to digress too much off topic here, but I'm not sure about your comment on using groups- we've organized privileges into entry's like this:
cn=reporting_admin_on_sas,ou=sudoers,ou=foo,dc=com sudoHost: sasapp*. prod.foo.com objectClass: sudoRole objectClass: top sudoCommand: /bin/su sas sudoCommand: /bin/su - sas sudoUser: %reporting sudoUser: %datawarehouse cn: reporting_admin_on_sas
Note that you can have N number of sudoCommand|sudoUser entry's, so you can organize this CN around what the people in these groups need todo on this box.
One of my co-workers wrote a script that exports the sudo entries in the directory to /etc/sudoers to handle the case of legacy machines that are too old or broken to have native sudo ldap lookups (of course they still need to be able to lookup uid's/gid's in the directory for this to work).
On Tue, Dec 29, 2009 at 7:33 AM, Anne Cross < across@itasoftware.com > wrote:
We're going to go with sudoers in ldap, not because I think it's better, but because it's somewhat more secure. I think the layout of how it's managed in ldap is much inferior (having to declare each group multiple times, and not being able to apply privileges to a *group*, is stupid) but it is at least someplace where I know the clever people can't get easy access to it, and if the sudoers file gets modified, I can have tripwire scream.
-- juniper
----- Original Message ----- From: "Kenneth Holter" < kenneho.ndu@gmail.com > To: fedora-directory-users@redhat.com Sent: Tuesday, December 29, 2009 7:12:41 AM GMT -05:00 US/Canada Eastern Subject: [389-users] /etc/sudoers VS sudo-objects in directory server
Hi.
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
Best regards, Kenneth Holter
Hi Anne!
On Thu, 31 Dec 2009, Anne Cross wrote:
As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
-- juniper
You understood incorrectly. You can use LDAP groups.
Hi Anne!
On Thu, 31 Dec 2009, Anne Cross wrote:
As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
You understood incorrectly. You can use LDAP groups.
Oh wow. You just made my day. Could I ask for an example of how you're defining it inside of a sudoers object? I'd *really* appreciate it. The last time I went digging through the documentation, I couldn't find any examples, and now "assume" is making an idiot out of me.
-- juniper
Anne Cross wrote:
Hi Anne!
On Thu, 31 Dec 2009, Anne Cross wrote:
As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance.
You understood incorrectly. You can use LDAP groups.
Oh wow. You just made my day. Could I ask for an example of how you're defining it inside of a sudoers object? I'd *really* appreciate it. The last time I went digging through the documentation, I couldn't find any examples, and now "assume" is making an idiot out of me.
You don't need to do anything special. Assuming your system is configured to look in LDAP for groups, you just specify them be preceding them with an @, just like local groups.
On Tue, 29 Dec 2009, Kenneth Holter wrote:
We're working on setting up Red Hat Directory Server (RHDS), and need to make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
I know I'm stating the obvious here, and feel the need to mention that there's absolutely nothing directly RHDS or 389-related about your question, but you did ask...
As with anything LDAP-related, you need to decide whether you want centralization or the status quo. It seems you already know the benefits to using LDAP (make changes in one place, replicate it everywhere) and the drawbacks (it's not a simple matter of editing a sudoers file), as well as the benefits of not using LDAP (flat, easy-to-read text files and no learning curve or additional tools involved).
Personally, given more than one machine to administer, I'd go LDAP every time, but I've been bit too many times by inconsistencies, and I'm familiar enough with doing it the LDAP way that it's no big deal to me. I like being able to make one change in one place and know that it's instantly taking effect on every box I want it to, without question, every time. To me, consistency is a *huge* part of good security, and that's easier to accomplish when you're changing one thing on one place, rather than (in my case) changing one thing a few thousand places.
That's just my situation, though, and I'm sure yours is different. Given that you already seem to know the pros and cons, it's really just a matter of deciding what's important to you, and then making the appropriate decision.
Thanks for all the replies.
We're running Puppet to manage files on our linux servers, so assuming that Puppet consistently distributes /etc/sudoers (we'll maintain only one copy of this file) to our linux servers, we in a way will have a centralized setup of sudoers, much like using an LDAP. So to me, the main difference between the two approaches, as far as I can tell, is simply wether we store sudo information in /etc/sudoers format or in LDAP/LDIF format. And I must admit that /etc/sudoers seems like the best choice.
From the responsens I've got this far I can't see any major issues with the
/etc/sudoers approach, as long as we can ensure that Puppet will do its job.
Regards, Kenneth
On Wed, Dec 30, 2009 at 10:38 PM, patrick.morris@hp.com wrote:
On Tue, 29 Dec 2009, Kenneth Holter wrote:
We're working on setting up Red Hat Directory Server (RHDS), and need to
make a decision about wether sudo information should be defined as sudo-objects in the directory server, or if we should stick to /etc/sudoers. I've played around with sudo-objects in the directory server, and got it working. But the way I see it, maintaining sudo information in /etc/sudoers is much easier than to maintain it in a directory server. In the latter case, I'd either have to use the GUI, or write scripts/ldif files to make necessary changes to the sudo setup, and they both seem less intuitive than to simply edit the /etc/sudoers file.
I'd very much like to hear from others on their thoughts on wether to
maintain sudo information in /etc/sudoers or in the directory server, so please feel free to post a reply.
I know I'm stating the obvious here, and feel the need to mention that there's absolutely nothing directly RHDS or 389-related about your question, but you did ask...
As with anything LDAP-related, you need to decide whether you want centralization or the status quo. It seems you already know the benefits to using LDAP (make changes in one place, replicate it everywhere) and the drawbacks (it's not a simple matter of editing a sudoers file), as well as the benefits of not using LDAP (flat, easy-to-read text files and no learning curve or additional tools involved).
Personally, given more than one machine to administer, I'd go LDAP every time, but I've been bit too many times by inconsistencies, and I'm familiar enough with doing it the LDAP way that it's no big deal to me. I like being able to make one change in one place and know that it's instantly taking effect on every box I want it to, without question, every time. To me, consistency is a *huge* part of good security, and that's easier to accomplish when you're changing one thing on one place, rather than (in my case) changing one thing a few thousand places.
That's just my situation, though, and I'm sure yours is different. Given that you already seem to know the pros and cons, it's really just a matter of deciding what's important to you, and then making the appropriate decision.
-- 389 users mailing list 389-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org