[sudo-users] sudo ldap not working
John Tran
vectorz2 at gmail.com
Fri Feb 23 17:13:07 EST 2007
Hey all, I figured out the compiling problem was due to not having
openldap-devel package. Got that fixed, so now sudo is installed and ldap
seems to be configured just right but it's not working.
When I do sudo -l I can see that it picks up the netgroup correctly and I
even see priveleges, yet it won't let me sudo.
[jtran at optimus ~]$ sudo -l
Password:
User jtran may run the following commands on this host:
LDAP Role: jtran
Commands:
(ALL) ALL
[jtran at optimus ~]$ sudo cat /etc/shadow
jtran is not in the sudoers file. This incident will be reported.
** Also how do I turn on sudo -l debug? I saw this output in one of the
archive mail-list:
http://www.gratisoft.us/pipermail/sudo-workers/2004-August/000372.html
>* And the results of sudo -l with debugging enabled:
*>* [cds12118:~] jacobp% sudo -l
*>* LDAP Config Summary
*>* ===================
*>* host 158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
*>* 158.140.143.59
*>* port 389
*>* ldap_version 3
*>* uri (NONE)
*>* sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
*>* binddn cn=proxyagent,ou=profile,o=cadence.com
*>* bindpw proxy
*>* ===================
*>* ldap_init(158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
*>* 158.140.143.59,389)
*>* ldap_bind() ok
*>* found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
*>* ldap sudoOption: 'ignore_local_sudoers'
*>* ldap search
*>* '(|(sudoUser=jacobp)(sudoUser=%cadence1)(sudoUser=%cadence1)(sudoUser=%c
*>* vsaccess)(sudoUser=%itadmins)(sudoUser=ALL))'
*>* found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
*>* ldap sudoHost 'ALL' ... MATCH!
*>* ldap search 'sudoUser=+*'
*>* user_matches=-1
*>* host_matches=-1
*>* sudo_ldap_check(50)=0x02
*>* User jacobp may run the following commands on this host:
*>*
*>* LDAP Role: Admins
*>* Commands:
*>* !/usr/bin/vi /etc/passwd
*>* !/usr/bin/vi /etc/shadow
*>* !/usr/bin/vi /etc/ldap.conf
*>* !sudoedit /etc/passwd
*>* !sudoedit /etc/shadow
*>* !sudoedit /etc/ldap.conf
*>* !sudoedit /etc/nsswitch.conf
*>* !/usr/sbin/ldapclient
*>* !/bin/sh
*>* !/bin/bash
*>* !/bin/ksh
*>* !/bin/tcsh
*>* !/bin/csh
*>* !/bin/su
*>* !/grid/common/bin/tcsh
*>* !/grid/common/bin/bash
*>* !/usr/ngnu/bin/tcsh
*>* !/usr/ngnu/bin/bash
*>* !xterm
*>* ALL
*>* [cds12118:~] jacobp%
*
More information about the sudo-users
mailing list