Understanding and implementing sudoers.ldap


I have a Nethserver instance in my homelab running a test AD, which I like to imagine might some day form an example for the small IT consulting firm I work for to use in our supported sites with heterogenous OS requirements, such as media/entertainment companies running Linux, Mac, and Windows workstations.

I am investigating performing domain joins to Nethserver with Linux machines and came across this beautifully written page: https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html#EXAMPLES

I think I understand what this is saying, which is effectively that as long as the schema is set up correctly in AD, simply dropping a correctly-formatted file to /etc/ldap.conf will enable sudo to check AD efficiently. I’m pretty sure I can figure my way through getting ldap.conf correct, but I have no idea what to do with the AD schema discussed here: “[The sudo schema] for Microsoft Active Directory (schema.ActiveDirectory) may be found in the sudo distribution.”

I believe that’s here: https://github.com/lbt/sudo/blob/master/doc/schema.ActiveDirectory

But I’m afraid I don’t know what to do with this schema - can I please get some pointers on where to go to implement this schema?

End goal: freshly-installed, domain-joined, Linux-based workstations (or servers) with just the ldap.conf file modified can have users in the AD sudoers group or groups issue sudo commands.

Thanks kindly,


There are some howtos about joining Linux clients to Nethserver AD:

1 Like

thank you Markus, you are amazing!

these guides are great! but they all appear to use the method of specifying a group in the sudoers file, which the article I linked to explicitly identifies as a less-desirable way of implementing sudoers permissions in larger or distributed envrionment, or when you want to enable more subtle applications of sudo.

it’s also a good opportunity to learn about modifying AD schemas and this is a wonderful community

for performing general domain joins i have discovered that pbis works well. this query is not about joining the domain, but using sudoers.ldap to manage privilege escalation on nix systems.

1 Like