Once upon a time I set about getting a Linux server to use our Active Directory for logins, and I got it so that I could login as myself and then work on the server, and SU to root to make system changes using the server's local root password.
However, part of the plan we wanted was to not have separate root accounts on every server with passwords which need tracking and updating.
What's a way around this? Can root be a centralised AD account like a Windows Administrator account? Can non-root users be given root permissions in a way that isn't a bodge?
Best Answer
You can create root privileges based on LDAP groups using sudo (see the manual for examples). You can even store your sudo configuration within LDAP.
See this question. Debian and LDAP for sudo