SSSD-Sudo Integration
Summary
Provide means of looking up sudoers rules stored in remote directories such as LDAP via SSSD instead of direct LDAP lookups.
Owner
- Name: Pavel Březina
- Email: pbrezina@redhat.com
- Name: Stephen Gallager
- Email: sgallagh@redhat.com
- Name: Jakub Hrozek
- Email: jhrozek@redhat.com
- Name: Daniel Kopeček
- Email: dkopecek@redhat.com
Current status
- Targeted release: Fedora 17
- Last updated: 2012-Feb-07
- Percentage of completion: 100%
- packages were built in Fedora:
- sssd-1.8.0-1.fc17.beta1
- sudo-1.8.3p1-4.fc17
- packages were built in Fedora:
Detailed Description
In addition to the standard sudoers file, sudo may be configured via LDAP. This is very useful in large environments to provide centralized sudoers storage.
However, sudo performs all the lookups on its own, communicating directly with the remote directory. The goal of this feature is to extend sudo so that instead of talking directly to the LDAP server, it would communicate with SSSD's sudo responder process.
SSSD would provide access to the remote directory, while sudo would leverage all the benefits SSSD brings over performing the lookups in sudo directly. The major benefit is that sudo could take advantage of SSSD's caching capabilities. That would enable sudo to operate even if the remote directory is not reachable.
Benefit to Fedora
The benefits of the integration are:
- offline access - sudoers rules would be stored in a persistent cache, allowing sudo to fetch the rules seamlessly even in cases when the LDAP server is not reachable such as user roaming with a laptop.
- unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
- sudo would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
- only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
- caching of the rules - less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
- back end abstraction - data may be stored in NIS or other databases and accessed by the sudo transparently
Scope
This feature requires changes to both SSSD and sudo:
- SSSD needs to create a new responder process that would listen on a UNIX socket, process requests, and send back data. The LDAP back end process needs to be extended to look up sudoers data.
- Sudo needs to extend the sudoers plugin to send requests for sudo rules to SSSD and extract the rules from data it gets back from SSSD
How To Test
In general, using sudoers rules stored in LDAP should work as it used to with the original direct LDAP lookups, there should be no changes in behavior. The user should be able to test offline support by shutting down the LDAP server - sudo should still work in that case.
To configure Sudo using SSSD for lookups, the user needs an LDAP server that contains a couple of rules for a particular user or a group. Refer to the sudoers manual for more details on the LDIF format of the rules.
- install the appropriate packages
- sssd-1.8.0-1.fc17.beta1 or newer
- sudo-1.8.3p1-4.fc17 or newer
- configure Sudo to use the SSS back end
- put
sudoers: sss
into/etc/nsswitch.conf
- put
- configure SSSD to run the Sudo responder and look up sudoers rules from an LDAP server
- put a new record
sudo
into theservices
option in the[sssd]
section ofsssd.conf
- specify the search base SSSD should look into using the
ldap_sudo_search_base
option in the domain section ofsssd.conf
- restart SSSD
- put a new record
- test the online support
- log in as a user allowed to run sudo
- run
sudo -l
. You should see the list of sudo rules you are allowed to run
- test the offline support:
- turn off the
network
service or NetworkManager or shut down your LDAP server - sudo should still be able to look up the rules from SSSD. SSSD would return the rules from its cache instead of the server.
- turn off the
User Experience
In case the LDAP server is not reachable, sssd would seamlessly fall back to serving sudoers data from cache, allowing the user to continue using sudo. The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user might also notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time.
Dependencies
As stated above, this feature depends on changes in both sudo and SSSD. There are no other external dependencies.
Contingency Plan
None required, Fedora would keep using the LDAP lookup module in sudo.
Documentation
See man sssd-ldap
. Search for options that contain "sudo".
The SSSD team is also going to provide a migration guide which will help users transition from the old plain LDAP setup to the SSSD setup. No automatic migration would be performed, though.
The documentation effort is being tracked in a separate SSSD ticket.
Release Notes
Fedora 17 enables sudo to look up sudoers rules stored in LDAP using SSSD. The SSSD daemon caches the data, providing offline support for sudo, which means that sudo is able to function even without access to the LDAP server. Unifying the configuration in sssd.conf
also brings the benefit of providing advanced features such as server fail over and fine-grained cache settings.