[sudo-users] sudo ldap not working
John Tran
vectorz2 at gmail.com
Fri Feb 23 17:39:59 EST 2007
Figured it out. Sorry to have even bothered you guys, but for reference:
1) The debug that i saw in the archived email was referring to turning on
LDAP debug and *not* the sudo debug. That's done in /etc/ldap.conf with
'sudoers_debug 2'; which I had mistyped to begin with.
2) The MAIN problem was that the command ALL(ALL) doesn't work in the ldap
object. I guess the sudoers2ldif script is written wrong. I looked at the
example and should look like this:
Here is an example:
# /etc/sudoers:
# Allow all commands except shell
johnny ALL=(root) ALL,!/bin/sh
# Always allows all commands because ALL is matched last
puddles ALL=(root) !/bin/sh,ALL
# LDAP equivalent of Johnny
# Allows all commands except shell
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role1
sudoUser: johnny
sudoHost: ALL
sudoCommand: ALL
sudoCommand: !/bin/sh
# LDAP equivalent of Puddles
# Notice that even though ALL comes last, it still behaves like
# role1 since the LDAP code assumes the more paranoid configuration
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role2
sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
sudoCommand: ALL
On 2/23/07, John Tran <vectorz2 at gmail.com> wrote:
>
> Hey all, I figured out the compiling problem was due to not having
> openldap-devel package. Got that fixed, so now sudo is installed and ldap
> seems to be configured just right but it's not working.
>
> When I do sudo -l I can see that it picks up the netgroup correctly and I
> even see priveleges, yet it won't let me sudo.
>
>
> [jtran at optimus ~]$ sudo -l
> Password:
> User jtran may run the following commands on this host:
>
> LDAP Role: jtran
> Commands:
> (ALL) ALL
> [jtran at optimus ~]$ sudo cat /etc/shadow
> jtran is not in the sudoers file. This incident will be reported.
>
> ** Also how do I turn on sudo -l debug? I saw this output in one of the
> archive mail-list:
>
> http://www.gratisoft.us/pipermail/sudo-workers/2004-August/000372.html
>
> >* And the results of sudo -l with debugging enabled:
> *>* [cds12118:~] jacobp% sudo -l
> *>* LDAP Config Summary
> *>* ===================
> *>* host 158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
>
> *>* 158.140.143.59
> *>* port 389
> *>* ldap_version 3
> *>* uri (NONE)
> *>* sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
> *>* binddn cn=proxyagent,ou=profile,o=cadence.com
> *>* bindpw proxy
> *>* ===================
> *>* ldap_init(158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
> *>* 158.140.143.59,389)
> *>* ldap_bind() ok
> *>* found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services, o=
> cadence.com *>* ldap sudoOption: 'ignore_local_sudoers'
> *> *ldap search
> *>*'(|(sudoUser=jacobp)(sudoUser=%cadence1)(sudoUser=%cadence1)(sudoUser=%c
> *>* vsaccess)(sudoUser=%itadmins)(sudoUser=ALL))'
> *>* found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=
> cadence.com
> *>* ldap sudoHost 'ALL' ... MATCH!
> *>* ldap search 'sudoUser=+*'
> *>* user_matches=-1
> *>* host_matches=-1
> *> *sudo_ldap_check(50)=0x02
> *>* User jacobp may run the following commands on this host:
> *>*
> *>* LDAP Role: Admins
> *>* Commands:
> *>* !/usr/bin/vi /etc/passwd
> *>* !/usr/bin/vi /etc/shadow
> *>* !/usr/bin/vi /etc/ldap.conf
> *>* !sudoedit /etc/passwd
> *>* !sudoedit /etc/shadow
> *>* !sudoedit /etc/ldap.conf
> *>* !sudoedit /etc/nsswitch.conf
> *>* !/usr/sbin/ldapclient
> *>* !/bin/sh
> *>* !/bin/bash
> *>* !/bin/ksh
> *>* !/bin/tcsh
> *>* !/bin/csh
> *>* !/bin/su
> *>* !/grid/common/bin/tcsh
> *>* !/grid/common/bin/bash
> *>* !/usr/ngnu/bin/tcsh
> *>* !/usr/ngnu/bin/bash
> *>* !xterm
> *>* ALL
> *>* [cds12118:~] jacobp%
> *
>
More information about the sudo-users
mailing list