sudo, ldap, and osx (10.5)

If I have a LDAP group (or ou if we are going to use ldap's naming
convention) called sysadmins of the users who can sudo, how to use
this group in a Mac's sudoers file?
_______________________________________________
MacOSX-admin mailing list
MacOSX-admin@...
http://www.omnigroup.com/mailman/listinfo/macosx-admin

Le 5 juin 09 à 23:10, Mauricio Tavares a écrit :

> If I have a LDAP group (or ou if we are going to use ldap's naming
> convention) called sysadmins of the users who can sudo, how to use
> this group in a Mac's sudoers file?

Hello Mauricio,

You're a bit elliptic in your question.
Nevertheless, assuming your LDAP group "sysadmins" is known through  
Directory Service's search path on the box you want to do sudo, it  
should just be a matter of editing the sudoers file on that box.
But sure I'm missing some piece of the equation... ;-)

Axel

_______________________________________________
MacOSX-admin mailing list
MacOSX-admin@...
http://www.omnigroup.com/mailman/listinfo/macosx-admin

On Fri, Jun 5, 2009 at 6:08 PM, Axel Luttgens<luttgens@...> wrote:     I hate to say it, but I found out I cannot see that group under
Directory Service's search path. That could be a bit of an issue. It
is as if you can only add groups from a select set. Is there a way to
persuade it to let me add the group?
_______________________________________________
MacOSX-admin mailing list
MacOSX-admin@...
http://www.omnigroup.com/mailman/listinfo/macosx-admin

In 10.4 I'd use memberd -g sysadmins to find the UUID of the group, but
there might be something else in 10.5 and I'm currently in windows (sorry
guys ;)

Include that UUID as a nested group of admin and they can sudo. But that
also means they are admins and that might not be what you want.


(EDIT*: I sshd onto a random Leopard computer and found:
hf-xxx-xxx:~ root# dsmemberutil getuuid -G UIO\\myuname-group
E591DE64-C544-47F4-AEDC-B006032D657E

so that seems to be the valid method for finding the UUID and the proper
way of setting the value is:

dscl . -merge /Groups/admin NestedGroups
E591DE64-C544-47F4-AEDC-B006032D657E

Second EDIT:
Some people insist on using the dseditgroup command instead:

dseditgroup -o edit -a 'UIO\myuname-group' -t group admin

Here you just specify the name of the group and it actually finds the
right UUID and pops that into
NestedGroups: E591DE64-C544-47F4-AEDC-B006032D657E

Swapping -a for -d and you remove it again.


Oh, and by the way - the author of the dseditgroup man page should be
whac...  corrected for listing -P mypassword as a valid argument to the
command as that would list the admin password in clear text to anyone
who wants to know and knows how. And actually seem to confude -p and -P
a few times.

Quoting a web page, Mikey-San says this about the names of the attributes:
 > /*!
 > * @defined kDSNAttrGroupMembers
 > * @discussion Attribute type in group records containing lists of GUID
 > values for members other than groups.
 > */
 > #define kDSNAttrGroupMembers "dsAttrTypeStandard:GroupMembers"
 >
 > That's the best description I can find of this attribute. It differs
 > from dsAttrTypeStandard:GroupMembership (kDSNAttrGroupMembership) in
 > that GroupMembers is for UUIDs, where GroupMembership is user names.


* So how/why do you edit an email? I sent the email as my old email
address and it was stopped. That's why.

On Fri, June 5, 2009 23:10, Mauricio Tavares wrote:
> If I have a LDAP group (or ou if we are going to use ldap's naming
> convention) called sysadmins of the users who can sudo, how to use
> this group in a Mac's sudoers file?
> _______________________________________________
> MacOSX-admin mailing list
> MacOSX-admin@...
> http://www.omnigroup.com/mailman/listinfo/macosx-admin
>


--
Klaus Wik
_______________________________________________
MacOSX-admin mailing list
MacOSX-admin@...
http://www.omnigroup.com/mailman/listinfo/macosx-admin