sudo groups in PAM LDAP

Ezsra McDonald Ezsra_McDonald at yahoo.com
Thu Feb 26 16:54:25 EST 2004 

I switched the order in my nsswitch.conf file for group to "group: ldap
files". Now it works!! Thanks. Why does the order need to change? Could
it be because there is a empty group 'wheel' in the /etc/group file and
also a group 'wheel' also in LDAP? (In my test the sudo user has to be a
member of the group 'wheel'.) 

--Ezsra

On Thu, 2004-02-26 at 13:12, Aaron Spangler wrote:
> Ezsra,
> 
> If you don't want your sudoers to be in ldap, then ignore everything in
> README.LDAP.  Just follow the normal sudo docs.
> 
> If you already have unix groups in ldap, then I assume you already have
> this part working before you start using sudo.  Sudo will use whatever
> unix groups you belong to when you run sudo.  If you have nss_ldap mapping
> that back to LDAP, then sudo gets group information from LDAP.  (See also
> Todd's notes at the end)
> 
> Example, lets says that that "people" is an LDAP group and joe is a member.
> 
> If you are logged in as joe, type 'id'  (or 'id -a' on some systems)
>   uid=19243(joe) gid=19243(joe) groups=1782(people)
> 
> If you configure sudo to allow commands to the 'people' group, then joe
> can use those sudo commands.
> 
> For more information on nss_ldap take a look at http://www.padl.com.
> 
>  -Aaron
> 
> 
> > In message <1077812541.8300.6.camel at brianv.ink.org>
> > 	so spake Ezsra McDonald (Ezsra_McDonald):
> >
> >> I grabbed 1.6.8 from the CVS last week and compiled it. I read the
> >> README.LDAP file. I really did not want to store my sudoers file in
> >> LDAP. I just want to have sudo use the unix groups I have stored in
> >> LDAP.
> >
> > This sounds like an OS config problem.  Sudo doesn't do anything
> > special to get at group info--it just uses the standard getgrnam()
> > function.  My guess is that your /etc/nsswitch.conf is incorrect,
> > but I don't actually use LDAP so I can't say for sure.
> >
> > If you have something like:
> >     group:          files ldap
> >
> > you might try reversing that order so that ldap is first.
> >
> >  - todd
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>

More information about the sudo-users mailing list