tying ubuntu 10.04 LDAP to sudo and SSH

The summary of this post is: you can’t.

I have my Ubuntu servers talking to LDAP for authentication, but I want two other functions: ldap-sudo integration, and SSH with public keys via LDAP.

We need to be absolutely certain that we can become root even if the sudo binary is hosed.   Set a root password with “passwd root”.  I’ll show you how to take it out later, as Ubuntu doesn’t like having a root password.  (Yes, there’s an environment variable that lets you upgrade sudo without having a root password set, but that method is more risky than using a password; if something breaks halfway through, you’re stuck.)

Now “apt-get install sudo-ldap nscd”.  I don’t know why sudo through LDAP requires nscd; you’ll find lots of message boards where users say this is how they solved their problems, and I have no grand objections to nscd, so I’m not going to bother researching it further.

I’ve already configured sudo in /etc/ldap.conf, and in /etc/nsswitch.conf, as shown in the earlier post.  But to use sudo over LDAP properly, I need to wipe out the contents of /etc/sudoers.  Comment everything out.

Now I log in as myself in a new terminal, and run “sudo -l”.  And… it doesn’t work.

Research leads me to https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/423252, which can be summarized as “You’re hosed, this doesn’t work.”  You cannot use sudo with LDAP over TLS, thanks to Ubuntu’s switch from OpenSSL to gnuTLS.  Yippee.

Transmitting LDAP unencrypted is not acceptable.  Period.

Solution?  Use LDAP groups.  Create a group of users who may use sudo to become root (or any other sudo config you like).  I’ve created the group “ldapsudo.”  Put your sudo users in that group, and make sure that they get assigned that group upon login via “id”. Assign that group sudo rights via visudo like so:

%ldapsudo ALL=(ALL) ALL

So, I can administer sudo via LDAP groups — which isn’t the way I’d like.  But it’ll buy me time for the ubuntu folks to fix their package.

To remove the root password, use vipw and replace the encrypted root password with a single asterisk.  That brings you back into Ubuntu compliance. Of course, if the machine is disconnected from the network, you’ll need to have some way to log onto the system.  I prefer having a root password, for local disaster recovery use if nothing else.

Other things I’d like would be to have SSH public keys distributed via LDAP, but Ubuntu doesn’t include that.  You can build your own SSH-LPK package  from source, but the point of Ubuntu is you don’t have to build from source.

No LDAP for sudo? No SSH keys over LDAP? LDAP integration is a vital feature for use in a large business. Please insert an “enterprise-ready operating system my fanny” comment here.

2 Replies to “tying ubuntu 10.04 LDAP to sudo and SSH”

Comments are closed.