Skip to content

Core Concepts

LDAP and Sudo

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and managing directory information services. It provides a centralized directory to store and manage data such as user accounts, permissions, and organizational information.

In the context of the SecretZero PAM solution, LDAP is integrated directly into the appliance and acts as the authoritative directory for managing access to Unix systems. This built-in LDAP is essential for managing privileged access via Sudo.

What is Sudo?

Sudo (Superuser Do) is a Unix command that allows a user to execute tasks with elevated privileges. It provides a controlled mechanism for granting and managing administrative access to Unix systems.

  • Standard Workflow:
  • A user logs into the Unix server under their regular account (e.g., john.doe).
  • The user can execute commands as a privileged account (e.g., root or a technical application account) by using the sudo command.

LDAP and Sudo in SecretZero PAM

The SecretZero PAM solution extends the functionality of LDAP and Sudo by integrating them with Just-in-Time (JIT) provisioning and ephemeral certificate-based authentication.

How it Works:

  1. User Login:

  2. A user logs into the Unix server using their personal account (e.g., john.doe), authenticated via an ephemeral SSH certificate generated by the SecretZero CA.

  3. JIT Sudo Access:

  4. When the user requires privileged access, the PAM solution provisions the necessary permissions dynamically:

    • The user is granted temporary access to privileged accounts (e.g., root or a technical app account) by updating the SecretZero LDAP directory.
    • Permissions are tied to the user's specific task or session.

  5. Executing Privileged Commands:

  6. The user uses the sudo command to switch to the privileged account.

  7. The LDAP directory verifies the user's permissions and authorizes the action.

  8. Access Revocation:

  9. Once the task is complete, JIT provisioning automatically removes the user's permissions from the LDAP directory.
  10. This ensures that no standing access remains, adhering to the principles of Zero Trust Security.

Benefits of SecretZero’s LDAP and Sudo Integration

  1. Dynamic Authentication and Authorization:
  2. Authentication is handled using ephemeral SSH certificates.

  3. Authorization is managed through JIT provisioning of Sudo permissions in the LDAP directory.

  4. Centralized Access Management:

  5. All privileged access policies are managed centrally in the built-in LDAP directory.

  6. Eliminates the need for decentralized or manually managed privilege configurations on individual Unix servers.

  7. Just-in-Time Access:

  8. Access to privileged accounts is provisioned only when needed and is automatically removed after the session or task is completed.

  9. Reduces the risk of unauthorized access or credential misuse.

  10. Enhanced Security:

  11. By combining ephemeral certificates with LDAP-based Sudo management, SecretZero eliminates the need for static passwords and persistent privileges.

  12. Ensures compliance with modern security practices.

  13. Audit and Compliance:

  14. Every access request, LDAP update, and Sudo action is logged for audit and compliance purposes.
  15. Provides a clear record of who accessed what, when, and for what purpose.

Example Workflow

Scenario: Administrator Needs Temporary Root Access

  1. Login:

  2. The administrator, john.doe, logs into a Unix server using an ephemeral SSH certificate issued by SecretZero CA.

  3. Request Privileged Access:

  4. The administrator requests root access via the SecretZero PAM interface.

  5. The JIT engine updates the SecretZero LDAP directory to grant john.doe Sudo permissions for the root account.

  6. Switch to Root:

  7. The administrator executes the command: 
    sudo su -

  8. The LDAP directory authorizes the request, granting temporary root access.

  9. Access Revocation:

  10. Once the task is complete, the administrator logs out.
  11. The JIT engine removes the Sudo permissions from the LDAP directory, ensuring no lingering access.

Conclusion

The integration of LDAP and Sudo within the SecretZero PAM solution provides a robust and dynamic approach to managing privileged access on Unix systems. By leveraging ephemeral certificates for authentication and LDAP for JIT authorization, SecretZero ensures that access is secure, temporary, and auditable. This powerful combination simplifies access management while adhering to the principles of Zero Trust and modern security practices.