sudo, unix-groups and ldap
Aaron Spangler
aaron at spangler.ods.org
Wed Dec 10 21:01:21 EST 2003
Hello Heinz,
I believe having a group listed in both local & LDAP is confusing your
Linux box. (Its like having your account listed both in /etc/passwd and in
LDAP.)
I recommend the following two changes:
1. In LDAP, remove xf01070 from the ldap group 'nobody'.
2. Change the primary group id (GID) of the ldap user xf01070 to be 65534.
This way you are guaranteed to get the group that you want. You will need
to logout & login for Linux to pick up your changes.
Also before running sudo, try running 'id -a' and verifying that you
belong to the groups you believe you belong to.
I hope this helps.
Tschus!
-Aaron
> Message: 1
> Date: Wed, 3 Dec 2003 14:06:01 +0100 (MET)
> From: "Heinz Ahrens" <xf01070 at gmx.de>
> Subject: sudo, unix-groups and ldap
> To: sudo-users at sudo.ws
> Message-ID: <26029.1070456761 at www51.gmx.net>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hallo sudo-users,
>
> i have got a problem and i can not get the answer. I want to use sudo with
> ldap on SuSE United Linux 1.0:
>
> In my example i have get the local group in /etc/group and one over ldap:
>
> xf01070 at nilix:~> getent group|fgrep nogroup
> nogroup:x:65534:nobody -> local entry
> nogroup:x:65534:xf01070 -> remote entry
>
> because of /etc/nsswitch.conf:
>
> group: files ldap
>
>
> And here is the problem. In /etc/suders i want that my user xf01070 get
> access because of the unix-group:
>
> Cmnd_Alias ID = /usr/bin/id
>
> %nogroup ALL=(nobody) NOPASSWD: ID
>
>
> Because of the sequence "files ldap" and not "ldap files" the user is not in
> the group "%nogroup". But i can not change the squence to "ldap files"
> because of problems with booting.
>
>
> Perhaps someone can help me
>
> Heinz Ahrens
> xf01070 at gmx.de
>
>
> --
> +++ GMX - die erste Adresse für Mail, Message, More +++
> Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net
More information about the sudo-users
mailing list