Integrating Sudo with Active Directory using the Sudoers Schema

Managing sudo permissions across a large fleet of Linux systems can be a challenge, especially in enterprise environments where centralized control is essential. Fortunately, the sudo schema for Active Directory (AD) provides a powerful way to manage sudo rules directly from AD, streamlining administration and improving security.

Step 1: Locate the Sudo Schema

The sudo schema for Active Directory is included with the Linux sudo package. You can find it in one of the following ways:

• Local Path: /usr/share/doc/sudo-/schema.ActiveDirectory

• Download from RPM: Visit this RPM repository and extract the schema.ActiveDirectory file from the package.

Step 2: Apply the Schema to Active Directory

Once you have the schema file, copy it to your Windows AD server and run the following command to import it:

ldifde -i -f schema.ActiveDirectory -c “dc=X” dc=DOMAINNAME,dc=LOCAL

This command integrates the sudo schema into your AD environment.

Step 3: Configure the Sudoers Organizational Unit (OU)

1. Open adsiedit.msc.
2. Connect to the Default Naming Context.
   
   
   
   
3. Create a new Organizational Unit (OU) named sudoers.
   
   
   

This OU is where sudo will look for user-defined rules in Active Directory.

Step 4: Create a Sudo Rule Object

1. Right-click the sudoers OU and select New → Object
   
   
2. Choose the object class sudoRule.
   
   
   
   
   
   
   
   
   
   
   
3. Enter a name for the sudo rule and finish

This object will hold the sudo configuration attributes.

Step 5: Define Sudo Rule Attributes

Edit the properties of the newly created object (e.g., cn=default,ou=sudoers) and set the following attributes:

• sudoCommand: ALL or a specific list of allowed commands.

• sudoHost: ALL or a list of specific hosts where the rule applies.

• sudoUser: ALL or an AD group name prefixed with %. This group must exist within the sudoers OU.
  
  Example for all settings with ALL value. 
  
  

  
  
  

         Example for all settings with ALL value.

 

Step 6: Create Supporting AD Structures

To fully implement the sudo schema:

• Create a Servers Container: This helps organize the systems where sudo rules will apply.
  
  

  
  
  

  
  
  

  

  
  
  

  
  
  
• Create a Sudoers Group: Add users to this group to grant them sudo privileges as defined in the sudoRule.
  
  
  
  

  
  
  

  

  
  
  

  
  
  

---

By integrating sudo with Active Directory, you centralize access control, simplify user management, and enhance security across your Linux infrastructure. This approach is especially beneficial in hybrid environments where Windows and Linux coexist.