4

Once upon a time I set about getting a Linux server to use our Active Directory for logins, and I got it so that I could login as myself and then work on the server, and SU to root to make system changes using the server's local root password.

However, part of the plan we wanted was to not have separate root accounts on every server with passwords which need tracking and updating.

What's a way around this? Can root be a centralised AD account like a Windows Administrator account? Can non-root users be given root permissions in a way that isn't a bodge?

Improve this question

2 Answers 2

Reset to default
4

You can create root privileges based on LDAP groups using sudo (see the manual for examples). You can even store your sudo configuration within LDAP.

See this question. Debian and LDAP for sudo

Improve this answer
1
  • 2
    Keeping the sudo config in LDAP could look daunting to some users. An alternative is to create an "admins" group in LDAP and add this group to the /etc/sudoers file in your servers (similar to the local "wheel" group) Commented Oct 24, 2010 at 1:22
1

Something to consider, though, is how you would be able to perform system maintenance and/or recovery. (At this point LDAP/AD services are not yet running on the local system, so root would not be able to authenticate.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.