openldap 普通用户切换root

【服务端】

先新增vim /etc/openldap/schema/sudoer.schema

attributetype ( 1.3.6.1.4.1.15953.9.1.1

   NAME 'sudoUser'

   DESC 'User(s) who may  run sudo'

   EQUALITY caseExactIA5Match

   SUBSTR caseExactIA5SubstringsMatch

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2

   NAME 'sudoHost'

   DESC 'Host(s) who may run sudo'

   EQUALITY caseExactIA5Match

   SUBSTR caseExactIA5SubstringsMatch

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3

   NAME 'sudoCommand'

   DESC 'Command(s) to be executed by sudo'

   EQUALITY caseExactIA5Match

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4

   NAME 'sudoRunAs'

   DESC 'User(s) impersonated by sudo'

   EQUALITY caseExactIA5Match

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5

   NAME 'sudoOption'

   DESC 'Options(s) followed by sudo'

   EQUALITY caseExactIA5Match

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.6

   NAME 'sudoRunAsUser'

   DESC 'User(s) impersonated by sudo'

   EQUALITY caseExactIA5Match

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.7

   NAME 'sudoRunAsGroup'

   DESC 'Group(s) impersonated by sudo'

   EQUALITY caseExactIA5Match

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.8

   NAME 'sudoNotBefore'

   DESC 'Start of time interval for which the entry is valid'

   EQUALITY generalizedTimeMatch

   ORDERING generalizedTimeOrderingMatch

   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

attributetype ( 1.3.6.1.4.1.15953.9.1.9

   NAME 'sudoNotAfter'

   DESC 'End of time interval for which the entry is valid'

   EQUALITY generalizedTimeMatch

   ORDERING generalizedTimeOrderingMatch

然后修改配置文件，包含该schema

修改/etc/openldap/slapd.conf  添加如下一行

include         /etc/openldap/schema/sudoer.schema

重启ldap

2、新建一个ldif，用于新建一个sudoRole

cat /home/tmp/ou1.ldif

dn: ou=SUDOers,dc=example,dc=com

objectClass: top

objectClass: organizationalUnit

description: SUDO Configuration Subtree

ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=example,dc=com

objectClass: top

objectClass: sudoRole

cn: defaults

description: Default sudoOption's go here

sudoOption: requiretty

sudoOption: env_reset

dn: cn=test,ou=SUDOers,dc=example,dc=com

objectClass: top

objectClass: sudoRole

cn: test

sudoUser: test

sudoHost: ALL

sudoRunAsUser: ALL

sudoCommand: ALL

dn: cn=%wheel,ou=SUDOers,dc=example,dc=com

objectClass: top

objectClass: sudoRole

cn: %wheel

sudoUser: %wheel

sudoHost: ALL

sudoRunAsUser: ALL

sudoCommand: ALL

sudoOption: !authenticate

dn: cn=it,ou=SUDOers,dc=example,dc=com

objectClass: top

objectClass: sudoRole

cn: it

sudoUser: it

sudoHost: ALL

sudoRunAsUser: ALL

sudoCommand: ALL

sudoOption: !authenticate

然后导入ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f  /home/tmp/ou1.ldif

【客户端】

只要在客户端修改一个配置文件就行了

 vim /etc/ldap.conf

 添加SUDOERS_BASE ou=SUDOers,dc=example,dc=com

  ou=SUDOers这个为在服务端的ou名字

  客户端并不需要启动openldap服务

测试：

-sh-3.2$ sudo su -

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

   #1) Respect the privacy of others.

   #2) Think before you type.

   #3) With great power comes great responsibility.

Password:

添加了之后在sudo su -,直接由普通用户切换到root，并不需要输入密码

转载于:https://blog.51cto.com/inbank2012/1250758