Use AD to assign a user to a group?

Beandip408 · 08-16-2011, 01:15 PM

Does anyone know a way to add an active directory user to Sudoers? I have users logging in with AD accounts but I need to be able to add and remove users to the Sudoers so they can accomplish some tasks that require elevated access without giving out the root password. we around 50 machines running CentOS 5.5 and its a pain to add every user to every box.

droyden · 08-16-2011, 05:05 PM

you can make sudo query ldap/ad but u need to extend the schema to support posix attributes

Beandip408 · 08-16-2011, 05:54 PM

thanks for the quick reply. how would i go about doing this?

sundialsvcs · 08-16-2011, 09:38 PM

Speaking totally blindly here ... is there any way that "PAM" (Pluggable Authentication Modules...) could be of service here?

The essential idea here is ... "AFAIK (which isn't much...), PAM ultimately controls everything." Therefore, if the sudo command does, or if it can, tap into the PAM mechanism, then your problem might be very close to being solved. It intuitively seems to me that you ought to be able to outright supersede the default behavior of sudo, and to very-elegantly substitute into its place an AD-based mechanism ... courtesy of PAM.