[SUDO] Add Custom Schema to Oracle Directory Server Enterprise (ODSEE)

By default Oracle Directory Server Enterprise (ODSEE) LDAP does not include any schemas for sudo during or after the install. This is something that must be done manually after installation if one plans on using sudoers with LDAP. It is pretty straight forward to get it working properly. Hopefully this will help get the ball rolling for those who may be considering using SUDO with ODSEE.

Below I describe how to properly use the OpenLDAP Sudoer’s LDAP schema, which is commonly found with sudo source and binary distributions as schema.OpenLDAP. We will take this schema and make it functional with our instance of Oracle Directory Server Enterprise Edition (ODSEE). Unfortunately, one cannot just use the schama.OpenLDAP without prior modification when using ODSEE. The original schema.OpenLDAP has to be changed, slightly, to work well with ODSEE.

As the example below illustrates our custom schema file should be named accordingly, prefixed with a number. The number should be higher than any of the default ldif’s in the ‘instance schema folder’, but less than or equal to 99. For example, here are the default listings of the ldif’s in my /config/schema/ folder:

bash-3.00# ls | pr -3
00core.ldif             50ns-calendar.ldif      50ns-media.ldif
00ds6pwp.ldif           50ns-certificate.ldif   50ns-mlm.ldif
05rfc2247.ldif          50ns-compass.ldif       50ns-msg.ldif
05rfc2927.ldif          50ns-delegated-admin.ld 50ns-netshare.ldif
11rfc2307.ldif          50ns-directory.ldif     50ns-news.ldif
20subscriber.ldif       50ns-legacy.ldif        50ns-proxy.ldif
25java-object.ldif      50ns-mail.ldif          50ns-value.ldif
28pilot.ldif            50ns-mcd-browser.ldif   50ns-wcal.ldif
30ns-common.ldif        50ns-mcd-config.ldif    50ns-web.ldif
50iplanet-servicemgt.ld 50ns-mcd-li.ldif        98sudo.ldif
50ns-admin.ldif         50ns-mcd-mail.ldif      99user.ldif

Nothing will prevent you from prefixing your custom schema file with ’00’, but doing so means the custom schema may be loaded before more important system schemas. And, this could lead to stability issues down the road. While the contents of our below custom schema.OpenLDAP file may be appended to the ODSEE ‘99user.ldif‘ file we will create our own seperate file, 98sudo.ldif and modify it. Again, one may not just copy the sudoers schema.OpenLDAP file as-is without modifying its contents and expect it to work with Oracle Directory Server. Here is the creation of the schema:

# cat > 98sudo.ldif <<HERE 
# The following schema, in OpenLDAP format, is included with sudo source and
# binary distributions as schema.OpenLDAP.
#
#
dn: cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
cn: schema
#
# aci to ensure that the standard schema attributes are visible to
# all LDAP clients (anonymous access).
#
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; 
  allow (read, search, compare) userdn = "ldap:///anyone";) 
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' 
  EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' 
  EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' 
  EQUALITY caseExactIA5Match 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' 
  EQUALITY caseExactIA5Match 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' 
  EQUALITY caseExactIA5Match 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' 
  EQUALITY caseExactIA5Match 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' 
  EQUALITY caseExactIA5Match 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' 
  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' 
  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 X-ORIGIN 'SUDO')
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' 
  EQUALITY integerMatch ORDERING integerOrderingMatch 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'SUDO')
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) 
  MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore 
  $ sudoNotAfter $ sudoOrder $ description ) X-ORIGIN 'SUDO')
HERE

Note: Depending on how your copy & paste worked, you may want to consider having all ‘attribute*’ entry lines above on just one line to avoid issues with slapd loading the custom file.

Once done, restart the instance while tailing the error log residing under “//logs/error“. This allows you to know right away if something went wrong!

So in one window tail the error log:

# tail -f /<instance-path>/logs/errors
...edited...
[07/Nov/2011:16:42:19 -0500] - Closing all interfaces port 389 for LDAP requests
[07/Nov/2011:16:42:19 -0500] - Closing all interfaces port 636 for LDAPS requests
[07/Nov/2011:16:42:19 -0500] - DEBUG - conn=-1 op=-1 msgId=-1 -  slapd shutting down - signaling operation threads
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 27 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 22 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 19 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 18 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 17 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 16 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 15 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 12 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 11 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 8 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 6 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 4 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 2 threads to terminate
[07/Nov/2011:16:42:19 -0500] - slapd shutting down - waiting for 0 threads to terminate
[07/Nov/2011:16:42:19 -0500] - libumem_dummy_thread started.
[07/Nov/2011:16:42:19 -0500] - Waiting for 6 database threads to stop
[07/Nov/2011:16:42:20 -0500] - All database threads now stopped
[07/Nov/2011:16:42:20 -0500] - slapd stopped.
[07/Nov/2011:16:42:22 -0500] - Sun-Directory-Server/11.1.1.3.0 B2010.0630.2254 (64-bit) starting up
[07/Nov/2011:16:42:23 -0500] - Listening on all interfaces port 389 for LDAP requests
[07/Nov/2011:16:42:23 -0500] - Listening on all interfaces port 636 for LDAPS requests
[07/Nov/2011:16:42:23 -0500] - slapd started.
[07/Nov/2011:16:42:23 -0500] - INFO: 88 entries in the directory database.
[07/Nov/2011:16:42:23 -0500] - INFO: add:0, modify:0, modrdn:0, search:0, delete:0, compare:0, bind:0 since startup.

While in the other window restart the instance:

# dsadm stop /<instance-path>
# dsadm start /<instance-path>

Or, you could have restarted in one command with:

# dsadm restart /<instance-path>

Verify that the new attributes exist within the LDAP database by performing a basic ldap search against the directory server:

bash-3.00# ldapsearch -T -b cn=schema "(objectclass=*)" | grep -i sudo
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ description ) X-ORIGIN 'SUDO' )

Before wrapping things up, it is a good idea to also create an index of the attribute ‘sudoUser’. For example, if your base suffix is “dc=goldcoast,dc=com“, you can create the index for the attribute ‘sudoUser’ by performing:

# dsconf create-index dc=goldcoast,dc=com sudoUser

And verify:

# dsconf list-indexes
Enter "cn=Directory Manager" password: 
...edited...
dc=goldcoast,dc=com           sudoUser 
...edited...

References:

  1. When Creating Custom Schema Files, Oracle Fusion Middleware Administration Guide for Oracle Directory Server
  2. Extending Schema With a Custom Schema File Oracle Fusion Middleware Administration Guide for Oracle Directory Server
Advertisements
This entry was posted in *Nix. Bookmark the permalink.

3 Responses to [SUDO] Add Custom Schema to Oracle Directory Server Enterprise (ODSEE)

  1. http://andcarinsurancequotes.com says:

    Usually I do not learn post on blogs, however I would like to say that this write-up very pressured me to check out and do so! Your writing taste has been amazed me. Thanks, very nice article.

  2. crazy-admin says:

    you don’t need to use the openldap schema. sudo comes with the iPlanet schema. iPlanet is in the same family of LDAP servers descended from Netscape/Mozilla. don’t use the openldap schema, use the iplanet schema.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s