Unify Sudoers Privileges Across Raspberry Pi Devices

Introduction: Unify Sudoers Privileges Across Raspberry Pi Devices

About: Systems Administrator and Software Programmer.


Besides the ability to store automounter maps, LDAP can also store sudoers configuration. This makes maintenance of sudoers policy fast and easy.


This instructable will show how to:

  • Install sudoers-LDAP related package
  • Install sudoers schema in OpenLDAP
  • Create sudoers file in LDIF format
  • Add the sudoers file to LDAP database
  • Test


We need to have 2 Raspberry Pi devices runnung Raspbian OS. For simplicity, I will call the 2 Raspberry Pi devices as Rpi1 and Rpi2:

Rpi1 will have:

LDAP server with user account database

Rpi2 will:

  • Look up sudoers policy in Rpi1's LDAP server
  • Do LDAP authentication using Rpi1's LDAP server


The following are system data of the 2 Raspberry devices:

Distributor ID: Debian

Description: Debian GNU/Linux 7.8 (wheezy)

Release: 7.8

Codename: wheezy

Linux rpipro.example.com 3.18.9+ #767 PREEMPT Sat Mar 7 21:41:13 GMT 2015 armv6l GNU/Linux


Manual page sudoers.ldap(5)


Teacher Notes

Teachers! Did you use this instructable in your classroom?
Add a Teacher Note to share how you incorporated it into your lesson.

Step 1: Make Raspberry Pi Into a LDAP Server to Store User Account Data and Password

Step 2: Make Raspberry Pi Do LDAP Authentication

Complete the steps in the "Make Raspberry Pi do LDAP Authentication" instructable for Rpi2

Step 3: Install Sudo Support Package for Ldap

Open terminal emulator in Rpi1

sudo apt-get update
<br>sudo apt-get install sudo-ldap

Step 4: Install Sudo Schema in OpenLDAP

In order to use sudo's LDAP support, the sudo schema must be installed on your LDAP server.

Open terminal emulator in Rpi1:

sudo cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schema

Create a working directory:

mkdir -p ~/proj_sudo/instruc_ldap_2

Create a configuration file for the schema:

vi schema_convert.conf

Determine the index of the schema:

slapcat -f schema_convert.conf -F ldif_output -n 0 | grep sudo,cn=schema


dn: cn={13}sudo,cn=schema,cn=config

Use slapcat to perform the conversion:

slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={13}sudo,cn=schema,cn=config -l cn=sudo.ldif

Edit cn=sudo.ldif to arrive at the following attributes:

dn: cn=sudo,cn=schema,cn=config<br>...
cn: sudo

Also remove the following lines from the bottom:

use ldapadd to add the new schema to the slapd-config DIT:

sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=sudo.ldif

Confirm that sudoers schema is installed in LDAP:

sudo ldapsearch -LLL -Q -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

Step 5: Creating Organizational Units

Open terminal emulator in Rpi1:

vi add_ous.ldif

Add record to openLDAP:

sudo ldapadd -f add_ous.ldif -x -D "cn=admin,dc=example,dc=com" -W

Step 6: Grant Sudo Privilege

A sudoRole must contain at least one sudoUser, sudoHost and sudoCommand

Open terminal emulator in Rpi1

Convert /etc/sudoers into ldif:

Append the following to exisiting content of sudoMaster.ldif:

vi /home/pi/proj_sudo/instruc_ldap_2/sudoMaster.ldif

Install sudoMaster.ldif into LDAP:

ldapadd -f ~/proj_sudo/instruc_ldap_2/sudoMaster.ldif -D "cn=admin,dc=example,dc=com" -W -x

Step 7: Index the 'sudoUser' Attribute

In addition, be sure to index the 'sudoUser' attribute.

Open terminal emulator in Rpi1

vi indices.ldif

Modify the index records in openLDAP:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f indices.ldif

Step 8: Configure Client's Ldap.conf

Open terminal emulator in Rpi2

Sudo reads the /etc/sudo-ldap.conf file for LDAP-specific configuration.

Note that sudo parses /etc/sudo-ldap.conf itself and may support options that differ from those described in the ldap.conf(5) manual.

Edit ldap client configuration:

sudo vi /etc/ldap/ldap.conf

BASE dc=example,dc=com
URI ldap:// index sudoUser eq sudoers_base ou=SUDOers,ou=etc,dc=example,dc=com

Create sudo-ldap.conf for sudoers LDAP setup:

sudo ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf

Step 9: Configuring Client's Nsswitch.conf

Unless it is disabled at build time, sudo consults the Name Service Switch file, /etc/nsswitch.conf, to specify the sudoers search order. Sudo looks for a line beginning with sudoers: and uses this to determine the search order. Note that sudo does not stop searching after the first match and later matches take precedence over earlier ones.

Open terminal emulator in Rpi2

Add entry for sudoer:

vi /etc/nsswitch.conf

sudoers: ldap

Step 10: Test

Open terminal emulator in Rpi2

Rename /etc/sudoer so that Rpi2 must lookup sudoers policy in LDAP

sudo mv /etc/sudoer /etc/sudoer.disabled

Reboot Rpi2

Login using john account:

username: john
password: johnldap

Open terminal emulator in Rpi2

Reboot Rpi2:

sudo reboot

Expected result: Rpi2 will reboot

Open terminal emulator in Rpi2

Shutdown Rpi2:

sudo shutdown -h now

Expected result: Rpi2 will reboot

Be the First to Share


    • Backyard Contest

      Backyard Contest
    • Silly Hats Speed Challenge

      Silly Hats Speed Challenge
    • Finish It Already Speed Challenge

      Finish It Already Speed Challenge

    4 Discussions

    Correct reference URL: https://www.leonis.at/blog/ldap-integration-for-sudo-users/

    mirza irwan osman
    mirza irwan osman

    5 years ago on Step 7


    I embedded some codes using iframe but it does NOT appear when I published it. This is terribly inconvenient. I hope the folks at instructables.com will rectify this.

    mirza irwan osman
    mirza irwan osman

    Reply 5 years ago on Introduction

    Because the <iframe> tag was removed by instructables.com during publishing, I have uploaded files that have the content of the <iframe> tag. Sorry for the inconvenience caused.