Chapter 21. Policy: Using sudo

The sudo utility uses a local configuration file, /etc/sudoers, which defines the commands and users with sudo access. While this file can be shared among machines, there is no native way to distribute sudo configuration files among machines.

Identity Management uses its centralized LDAP database to contain the sudo configuration, which makes it globally available to all domain hosts. Identity Management also has a specialized LDAP schema for sudo entries that allows a lot more flexible and simpler configuration. This schema adds two key features:

As sudo does not support host groups and command groups, Identity Management translates the IdM sudo configuration into native sudo configuration when the sudo rules are created.

The sudo information is not available anonymously over LDAP by default. Identity Management therefore defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sudo-ldap.conf.

Both sudo and Identity Management support user groups as part of the sudo configuration. User groups can be either Unix or non-POSIX groups. Creating non-POSIX groups can result in some access issues because any users in the group inherit non-POSIX rights from the group. Having the choice between Unix and non-POSIX groups allows administrators the choice in group formatting and to avoid problems with inherited permissions or GID information.

As Section 21.1.1, “General sudo Configuration in Identity Management” mentions, the LDAP schema used for sudo entries in Identity Management supports host group-style groups in addition to netgroups. Really, Identity Management creates two groups, a visible host group and a shadow netgroup. sudo itself only supports NIS-style netgroups for group formats.

One important thing to consider is that even though sudo uses NIS netgroups, it is not necessary to have a NIS server installed or a NIS client configured. When any group is created for sudo, the NIS object is created in the Directory Server instance, and then the information is retrieved by NSS_LDAP or by SSSD. The client (in this case, sudo) then extracts the required NIS information from the information provided by Identity Management's Directory Server. ^[7]

In short, sudo configuration requires NIS-formatted netgroups. It does not require NIS.

However, in order for IdM sudo to work with host groups, use the nisdomainname command to set the NIS domain name to be used with the sudo rules. See Section 21.4, “Configuring Hosts to Use IdM sudo Policies” for details on using nisdomainname as well as setting other configuration features.

Any system which is supported as an IdM client system can be configured as a sudo client in IdM.