At my workplace, we're using sudo-ldap to provide sudo privileges across the network from a centralised store. We do this based on the username plus the hostname they're running sudo on, e.g.:
sudoHost: foo1
sudoUser: user1
I want to be able to match the sudoHost attribute based on the FQDN rather than the short hostname, so that we can use DNS subdomains for different environments - e.g. use web1.dev.example.com in the development environment and web1.test.example.com in the test environment and so on. However, right now sudoHost only matches on the short hostname.
i.e. this works:
sudoHost: foo1
But this doesn't work:
sudoHost: foo1.dev.example.com
The problem with just having the short hostname (foo1) is that it matches across all environments - foo1.dev, foo1.test, foo1.staging, etc. I want it to be more granular than that.
Is it possible to get sudo-ldap to query based on the FQDN (as returned by hostname -f) rather than just the short hostname?
I've googled with no success. I can't find anything in the man page or online; the closest it gets when talking about sudoHost attribute is:
sudoHost
A host name, IP address, IP network, or host netgroup (prefixed with a '+'). The special value ALL will match any host.
No mention of FQDN vs. short hostname. There was no mention of FQDN vs. short hostname in the Configuring ldap.conf section either.
The host in question is running Ubuntu 10.04.
Given that sudo itself only matches on the same things that the
sudoHostattribute mentions, I'm inclined to think that without intrusivesudopatching you're not going to get what you're after.There is one possibility -- are you setting the machine hostname to the short name, or the FQDN? If you're doing the former, try the latter and see if sudo switches to recognising the FQDN instead (you'll likely lose the ability to match on the short name, though). Honestly, I much prefer to set my hostname to an FQDN, I think it provides a lot more value in a multi-domain setup like the one you describe (which, by the way, I applaud you for doing, and I wish everyone would do it).
If I were to hazard an (educated) guess as to why you can't (and, honestly, shouldn't) match based on FQDN (or, to be more specific, the data provided by
hostname -f) instead of hostname, I'd say that it's because that value (hostname -f) is obtained through NSS -- meaning/etc/hostsor DNS (and sudo can't tell which). So you suddenly have a security vulnerability whereby if an attacker can manipulate DNS results, he's got your host-restricted sudo setup pwned.As a less-useful, but still potentially valuable option (if setting FQDNs as the hostname isn't possible), switch to using IP addresses. It's less obvious and a bit of a maintenance pain if you have to renumber, but unless you're editing your LDAP records by hand, your sudo-config-maintenance-tool-thingy can at least hide the ugliness by resolving names/addresses and giving you names to play with and sudo IP addresses.