AD schema extension for use with sudoers in LDAP

The sudo mailing list sent a message with instructions for using your Microsoft AD server (aka Domain Controller) as an LDAP host for hosting sudoers. I.e. integrating sudoers in an LDAP server so authentication and authorization on Unix/Linux servers can be managed in a consistent, central way. "Using LDAP to synchronize Users, Groups, Hosts, Mounts, and other commands across an enterprise can greatly reduce the administrative overhead." [from the sudo site]

This way, you extend the AD schema and prepare it for inclusion on your system-wide sudoers file. You then use or switch to an LDAP-enabled sudo version and from then on, access to your *nix hosts can be controlled through LDAP (nothing new there), but also authorization to let certain users use certain commands on certain hosts can be controlled from that same LDAP host. In this particular case, that LDAP host can be your existing Microsoft AD server, which many Unix and Linux administrator have to deal with anyway...

No comments: