sudo, unix-groups and ldap
Aaron Spangler
as at insight.rr.com
Wed Dec 10 00:36:35 EST 2003
Hello Heinz,
I believe having a group listed in both local & LDAP is confusing your
Linux box. (Its like
having your account listed both in /etc/passwd and in LDAP.)
I recommend the following two changes:
1. In LDAP, remove xf01070 from the ldap group 'nobody'.
2. Change the primary group id (GID) of the ldap user xf01070 to be 65534.
This way you are guaranteed to get the group that you want. You will
need to logout & login for Linux to pick up your changes.
Also before running sudo, try running 'id -a' and verifying that you
belong to the groups you
believe you belong to.
I hope this helps.
Tschus!
-Aaron
> Date: Wed, 3 Dec 2003 14:06:01 +0100 (MET)
> From: "Heinz Ahrens" <xf01070 at gmx.de>
> Subject: sudo, unix-groups and ldap
> To: sudo-users at sudo.ws
> Message-ID: <26029.1070456761 at www51.gmx.net>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hallo sudo-users,
>
> i have got a problem and i can not get the answer. I want to use sudo with
> ldap on SuSE United Linux 1.0:
>
> In my example i have get the local group in /etc/group and one over ldap:
>
> xf01070 at nilix:~> getent group|fgrep nogroup
> nogroup:x:65534:nobody -> local
entry
> nogroup:x:65534:xf01070 -> remote
entry
>
> because of /etc/nsswitch.conf:
>
> group: files ldap
>
>
> And here is the problem. In /etc/suders i want that my user xf01070 get
> access because of the unix-group:
>
> Cmnd_Alias ID = /usr/bin/id
>
> %nogroup ALL=(nobody) NOPASSWD: ID
>
> Because of the sequence "files ldap" and not "ldap files" the user is
not in
> the group "%nogroup". But i can not change the squence to "ldap files"
> because of problems with booting.
>
>
> Perhaps someone can help me
>
> Heinz Ahrens
> xf01070 at gmx.de
>
More information about the sudo-users
mailing list