Differences

This shows you the differences between two versions of the page.

--- aix:aix_sudo [2021/06/09 00:15]
manu
+++ aix:aix_sudo [2023/08/17 01:02] (current)
manu
@@ Line 1: / Line 1: @@
 ====== SUDO options ======
+Use **sudo -l** to list your privileges
+Use visudo instead of vi to edit a sudoers file
+  # visudo -f /etc/sudoers.d/oracle_priv
+Check syntax on a file:
+<cli prompt='#'>
+root@SERVER1:/ # visudo -cf /etc/sudoers
+>>> sudoers file: syntax error, line 95 <<<
+parse error in /etc/sudoers near line 95
+</cli>
+<cli prompt='#'>
+root@SERVER2:/ # visudo -cf /etc/sudoers
+/etc/sudoers: parsed OK
+/etc/sudoers.d/generic: parsed OK
+/etc/sudoers.d/hosts-system: parsed OK
+</cli>
 If you want to use LDAP integrating with sudo, install sudo_ids from RPM package, add also the option into /etc/netsvc.conf
 <cli prompt='>'>
-root@SERVER:/:=>tail -3 /etc/netsvc.conf
+root@SERVER:/:=> tail -3 /etc/netsvc.conf
 hosts=local4,bind4
 sudoers=ldap
 </cli>
+Here are options from /etc/sudoers or /etc/sudoers.d/*
 <code>
 ##
@@ Line 58: / Line 78: @@
 </code>
-Example to rotate mailbox
+Example to rotate sulog
 <cli>
-/var/spool/mail/*
+/var/log/sudo.log
 {
            monthly
            rotate 2
-           olddir /var/log/news/old
            missingok
 }
 </cli>
+For full debug sudo:
+Create a file **/etc/sudo.conf**
+<cli prompt='#'>
+[root@aix01]/root# cat /etc/sudo.conf
+Debug sudo /var/log/sudo_debug all@debug
+</cli>
+Create the log file **/var/log/sudo_debug**
+And test...very verbose !!!
 ===== AIX ldap configuration =====
@@ Line 79: / Line 109: @@
 If you have a NIM server, the easiest way is to install them with nimclient:
+<cli>
-nimclient -o cust -a lpp_source="lppsource_71-04-01"  -a filesets="gskta.rte gsksa.rte" -a accept_licenses=yes
+# nimclient -o cust -a lpp_source="lppsource_71-04-01"  -a filesets="gskta.rte gsksa.rte" -a accept_licenses=yes
+</cli>
 In this post we will assume the packages are downloaded in /mnt/LDAP/6.4. It’s possible to install everything in one command.
+<cli>
- installp -agcXYd /mnt/LDAP/6.4 all
+# installp -agcXYd /mnt/LDAP/6.4 all
+</cli>
 At the end of the installation, you should have this kind of installation summary:
+<cli>
 Installation Summary
 --------------------
@@ Line 103: / Line 135: @@
 idsldap.clt_max_crypto64bit 6.4.0.8         USR         APPLY       SUCCESS
 idsldap.clt_max_crypto32bit 6.4.0.8         USR         APPLY       SUCCESS
+</cli>
 The next step is to register the license:
+<cli>
 /mnt/LDAP/6.4/license/idsLicense -q
 /mnt/LDAP/6.4/license/idsLicense -t && echo OK
+</cli>
 IBM Directory Server allows multiple versions to be installed on the same system. Some links are created in /usr/bin to point on the current version.
+<cli>
 ls -l /usr/bin/idsldapadd
 lrwxrwxrwx    1 root     system           33 Feb 12 15:04 /usr/bin/idsldapadd -> /opt/IBM/ldap/V6.4/bin/idsldapadd
+</cli>
 To change the version, we use the idslink binary.
 Link the 64bits LDAP binaries:
+<cli>
 /opt/IBM/ldap/6.4/bin/idslink -f -q -i -l 64
+</cli>
 Link the 32bits LDAP binaries:
+<cli>
 /opt/IBM/ldap/6.4/bin/idslink -f -q -i -l 32
+</cli>
 import CA certificate
@@ Line 129: / Line 166: @@
 Create the certificate directory:
+<cli>
 mkdir /etc/ldap/certs
 cd /etc/ldap/certs
+</cli>
 The next step is to create a keystore database. It will store the Certificate Authority certificate.
 It’s important to select a good password(not secretpass like in the example below :) )
+<cli>
 gsk7cmd -keydb -create -db galerieslafayette.kdb -pw secretpass -type cms -stash
+</cli>
 After that, you need to copy your CA certificate in /etc/ldap. Here the certificate file is named /etc/ldap/cacert.pem and we label it “Enterprise CA”.
+<cli>
 gsk7cmd -cert -add -file /etc/ldap/certs/cacert.pem -db /etc/ldap/certs/cert.kdb -pw secretpass -label "Enterprise CA" -format ascii
+</cli>
 It’s easy to check if the import worked properly by listing the certificates stored in the database:
+<cli>
 gsk7cmd -cert -list -db /etc/ldap/certs/cert.kdb -pw secretpass
+</cli>
 Certificates in database: /etc/ldap/certs/galerieslafayette.kdb
+<cli>
  Enterprise CA
  Entrust.net Global Secure Server Certification Authority
@@ Line 170: / Line 212: @@
  Thawte Premium Server CA
  Thawte Server CA
+</cli>
 Note: this step can be done only one time. You can copy the files on your others AIX systems.
@@ Line 175: / Line 218: @@
 The initial LDAP configuration is done with the mksecldap command:
+<cli>
 mksecldap -c -h ldap01 -a "uid=svc_ldap,ou=Service,dc=mydomain,dc=inet" -p ldappass -S rfc2307aix -k /etc/ldap/certs/cert.kdb -w secretpass -j TLS -A ldap_auth
+</cli>
 Here a description of the differents options:
+<code>
     -h: the ldap server hostname
     -a: the bind user
@@ Line 188: / Line 232: @@
     -j: use TLS for the ldap connection
     -A: Here we specify than user’s authentication is done on the LDAP server with the value ldap_auth.
+</code>
 The command mksecldap start the the ldap client process automatically.
 You can check if everything is working with the ls-secldapclntd:
+<cli>
-ls-secldapclntd
+# ls-secldapclntd
 ldapservers=ldap01
 current ldapserver=ldap01
@@ Line 217: / Line 262: @@
 userobjectclass=posixaccount,account,shadowaccount
 groupobjectclass=posixgroup
+</cli>
 further configuration
-This configuration is a basic one. It’s better to modify the configuration file /etc/security/ldap/ldap.cfg to better match your environment.
+This configuration is a basic one. It’s better to modify the configuration file **/etc/security/ldap/ldap.cfg** to better match your environment.
 Here an example of a more complex configuration:
+<cli>
 ldapservers:ldap01,ldap02
 binddn:uid=svc_ldap,ou=Service,dc=mydomain,dc=inet
@@ Line 243: / Line 289: @@
 serverschematype:rfc2307
 nsorder: local,bind
+</cli>
 Most of the options are self-explanatory.
@@ Line 248: / Line 295: @@
 userbasedn is pretty interesting because you can specify a filter after the base dn. The separator is ??. Here we added
-(memberOf=cn=admin,ou=Teams,ou=Groups,dc=mydomain,dc=inet)
+  (memberOf=cn=admin,ou=Teams,ou=Groups,dc=mydomain,dc=inet)
 So, in this example, to have a user visible on this system, he needs to be part of the cn=admin,ou=Teams,ou=Groups,dc=mydomain,dc=inet group. You can build more complex filters, it only need to be a valid ldap filter expression.
@@ Line 254: / Line 301: @@
 After modifying the configuration file, you need to restart the LDAP client service:
-restart-secldapclntd
+  restart-secldapclntd
 System configuration
@@ Line 260: / Line 307: @@
 LDAP is configured on the system but AIX is not using it for user management by default. You need to enable it with the chsec command:
-chsec -f /etc/security/user -s default -a SYSTEM="files or LDAP"
+  chsec -f /etc/security/user -s default -a SYSTEM="files or LDAP"
 In some environments, you will have an error saying that LDAP is not a valid SYSTEM option. It’s because the file /etc/methods.cfg doesn’t contains this entry:
+<cli>
 LDAP:
         program = /usr/lib/security/LDAP
         program_64 =/usr/lib/security/LDAP64
+</cli>
 You can add it manually.
@@ Line 272: / Line 320: @@
 Another nice option added in AIX 6.1 is the possibility to automatically create the home directory at user’s login time.
-chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
+  chsec -f /etc/security/login.cfg -s usw -a mkhomeatlogin=true
-sudo configuration
+  sudo configuration
-Since a few months, IBM provides a sudo package with IBM Directory Server ldap + ssl support. The package is named sudo_ids. The minimum version is 1.8.20.
+Since a few months, IBM provides a sudo package with IBM Directory Server ldap + ssl support. The package is named **sudo_ids**. The minimum version is 1.8.20.
 If you installed yum on AIX(highly recommended), the installation is really easy:
+<cli>
-yum install sudo_ids
+# yum install sudo_ids
+</cli>
 You can check your sudo version:
+<cli>
-rpm -qi sudo_ids
+# rpm -qi sudo_ids
 Name : sudo_ids
 Version : 1.8.20p2
@@ Line 314: / Line 361: @@
 links are created in /usr/lib for idsldap libraries (through idslink command
 provided by idsldap filesets) followed by "updtvpkg" before installing the rpm.
+</cli>
 You can also check if the sudo binary were built with ldap support by running this command:
+<cli prompt='#'>
-sudo -V|grep ldap
+# sudo -V|grep ldap
  Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --mandir=/opt/freeware/share/man --docdir=/opt/freeware/share/doc/sudo_ids-1.8.20p2 --with-logging=syslog --with-aixauth --with-logfac=auth --without-pam --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf
 ldap.conf path: /etc/sudo-ldap.conf
 ldap.secret path: /etc/ldap.secret
+</cli>
-It will also give you the place of the ldap configuration file for sudo. Here it’s /etc/sudo-ldap.conf.
+It will also give you the place of the ldap configuration file for sudo. Here it’s **/etc/sudo-ldap.conf**.
 This configuration file is pretty simple to understand:
+<cli>
 host ldap01 ldap02
 port 389
@@ Line 337: / Line 386: @@
 bind_timelimit 3
 timelimit 3
+</cli>
 It’s important to specify the good certificate database if you want to use TLS to contact the LDAP directory. It’s specified with the parameter tls_key.
@@ Line 344: / Line 394: @@
 In production, it’s better to store the bind dn password in the /etc/ldap.secret file.
-It’s also mandatory to modify the /etc/netsvc.conf file to allow sudo to use LDAP.
+It’s also mandatory to modify the **/etc/netsvc.conf** file to allow sudo to use LDAP.
+<cli>
 sudoers = files, ldap
+</cli>
+Example of syntax for /etc/sudoers file
+  %wheel ALL=(ALL) NOPASSWD: ALL
+  user01 ALL=NOPASSWD:/usr/sbin/lsdev

wiki

User Tools

Site Tools

Differences

Page Tools