[sudo-users] sudo + openldap + freebsd 7
François Mehault
Francois.Mehault at netplus.fr
Tue May 26 06:04:51 EDT 2009
Hi all,
I try to configure sudo with my onpenldap on FreeBSD 7.0 and I meet some difficulties. I read the document on the website about LDAP (Sudoers LDAP Manual and README for LDAP). My problem is simple : it don't works. On freeBSD I installed sudo with make config (with selecting support ldap) make and make install. I copy schema.openLDAP in /usr/local/etc/openldap/schema/sudo.schema and I include it in slapd.conf (and I restarted slapd daemon). I add « sudoers : ldap » in /etc/nsswitch.conf. I give you an exctract of my ldap.conf (/usr/local/etc/ldap.conf):
Ldap.conf
base dc=netplus,dc=fr
uri ldap://x.x.x.x :389
ldap_version 3
rootbinddn cn=root,dc=netplus,dc=fr # with ldap.secret
timelimit 3
bind_timelimit 3
bind_policy soft
pam_login_attribute uid
pam_check_host_attr yes
#pam_check_service_attr yes
pam_groupdn cn=pf_labobe1,ou=Plate-Forme,dc=netplus,dc=fr
pam_member_attribute uniqueMember
sudoers_base ou=SUDOers,dc=netplus,dc=fr
sudoers_debug 2
My problem :
<11:57>[labobe1:~]$ sudo visudo
LDAP Config Summary
===================
uri ldap://x.x.x.x:389
ldap_version 3
sudoers_base ou=SUDOers,dc=netplus,dc=fr
binddn (anonymous)
bindpw (anonymous)
bind_timelimit 3000
timelimit 3
ssl (no)
===================
sudo: ldap_initialize(ld, ldap://10.96.18.10:389)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 3
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3)
sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=sudoers,dc=netplus,dc=fr
sudo: ldap sudoOption: 'logfile=/var/log/sudolog'
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap search '(|(sudoUser=fmehault)(sudoUser=%administrateur)(sudoUser=%stagiaire)(sudoUser=ALL))'
sudo: found:cn=roleAdmin,ou=SUDOers,dc=netplus,dc=fr
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: ldap sudoRunAs 'ALL' ... MATCH!
sudo: Perfect Matched!
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(0)=0x402
Password:
You can't come in. Our tiger has got flu
Password:
... and it used to be so popular...
Password:
Hold it up to the light --- not a brain in sight!
sudo: 3 incorrect password attempts
<11:57>[labobe1:~]$ whoami
fmehault
On my openldap :
dn: ou=SUDOers,dc=netplus,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: SUDOers
dn: cn=defaults,ou=sudoers,dc=netplus,dc=fr
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: logfile=/var/log/sudolog
sudoOption: env_keep+=SSH_AUTH_SOCK
dn: cn=roleAdmin,ou=SUDOers,dc=netplus,dc=fr
objectClass: sudoRole
objectClass: top
sudoHost: ALL
cn: roleAdmin
sudoCommand: ALL
sudoRunAs: ALL
sudoUser: fmehault
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: hostObject
objectClass: authorizedServiceObject
host: *
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
homeDirectory: /home/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
authorizedService: sshd
authorizedService: sudo
I did excatly the same thing on a fedora 10 and it works perfectly, If someone can help me ?
Thanks,
Regards,
François
More information about the sudo-users
mailing list