作者:管怀剑(James Guan)
更新日期:2007/01/26
一.下载站点
sudo-1.6.8p12.tar.gz
(有时用这个版本有很多问题,最好用1.6.8版)
二.编译
./configure --with-ldap --with-pam
make
make install
mv /etc/pam.d/sudo /etc/pam.d/sudo.orig
mv /usr/bin/sudo /usr/bin/sudo.orig
ln -s /usr/local/bin/sudo /usr/bin/sudo
cp sample.pam /etc/pam.d/sudo
三.配置
1. 从安装包里README.LDAP中截取出部分来编辑/etc/openldap/schema/sudo.schema,其内容如下:
cat /etc/openldap/schema/sudo.schema
#
# schema file for sudo
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description )
)
2. 向slapd.conf中添加如下内容:
# This is for sudo
include /etc/openldap/schema/sudo.schema
3. 重启openldap service
4. 向ldap 数据库中添加资料
# cat sudoers.ldif
dn: ou=sudoers,dc=test,dc=com
objectClass: organizationalUnit
ou: sudoers
dn: cn=defaults,ou=sudoers,dc=test,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: syslog=auth
sudoOption: log_year
sudoOption: logfile=/var/log/sudo.log
dn: cn=root,ou=sudoers,dc=test,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: (ALL) ALL
dn: cn=SDE,ou=sudoers,dc=test,dc=com
objectClass: top
objectClass: sudoRole
cn: SDE
sudoUser: jamesg
sudoHost: ALL
sudoCommand: ALL
sudoOption: !authenticate
5. 配置client
a.将server配置成ldap client
b. 向/etc/ldap.conf中添加如下内容:
sudoers_base ou=sudoers,dc=test,dc=com
6. 测试成功
[root@traffic ~]# su - jamesg
-bash-3.00$ sudo su -
[root@traffic ~]#
阅读(1630) | 评论(0) | 转发(0) |