This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
aix:aix_sudo [2023/08/16 15:54] manu [AIX ldap configuration] |
aix:aix_sudo [2023/08/17 01:02] (current) manu |
||
---|---|---|---|
Line 266: | Line 266: | ||
further configuration | further configuration | ||
- | This configuration is a basic one. It’s better to modify the configuration file /etc/security/ldap/ldap.cfg to better match your environment. | + | This configuration is a basic one. It’s better to modify the configuration file **/etc/security/ldap/ldap.cfg** to better match your environment. |
Here an example of a more complex configuration: | Here an example of a more complex configuration: | ||
Line 324: | Line 324: | ||
sudo configuration | sudo configuration | ||
- | Since a few months, IBM provides a sudo package with IBM Directory Server ldap + ssl support. The package is named sudo_ids. The minimum version is 1.8.20. | + | Since a few months, IBM provides a sudo package with IBM Directory Server ldap + ssl support. The package is named **sudo_ids**. The minimum version is 1.8.20. |
If you installed yum on AIX(highly recommended), the installation is really easy: | If you installed yum on AIX(highly recommended), the installation is really easy: | ||
Line 364: | Line 364: | ||
You can also check if the sudo binary were built with ldap support by running this command: | You can also check if the sudo binary were built with ldap support by running this command: | ||
- | <cli> | + | <cli prompt='#'> |
# sudo -V|grep ldap | # sudo -V|grep ldap | ||
Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --mandir=/opt/freeware/share/man --docdir=/opt/freeware/share/doc/sudo_ids-1.8.20p2 --with-logging=syslog --with-aixauth --with-logfac=auth --without-pam --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf | Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --mandir=/opt/freeware/share/man --docdir=/opt/freeware/share/doc/sudo_ids-1.8.20p2 --with-logging=syslog --with-aixauth --with-logfac=auth --without-pam --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf | ||
Line 371: | Line 371: | ||
</cli> | </cli> | ||
- | It will also give you the place of the ldap configuration file for sudo. Here it’s /etc/sudo-ldap.conf. | + | It will also give you the place of the ldap configuration file for sudo. Here it’s **/etc/sudo-ldap.conf**. |
This configuration file is pretty simple to understand: | This configuration file is pretty simple to understand: | ||
Line 394: | Line 394: | ||
In production, it’s better to store the bind dn password in the /etc/ldap.secret file. | In production, it’s better to store the bind dn password in the /etc/ldap.secret file. | ||
- | It’s also mandatory to modify the /etc/netsvc.conf file to allow sudo to use LDAP. | + | It’s also mandatory to modify the **/etc/netsvc.conf** file to allow sudo to use LDAP. |
<cli> | <cli> | ||
sudoers = files, ldap | sudoers = files, ldap |