sudo groups in PAM LDAP
Ezsra McDonald
Ezsra_McDonald at yahoo.com
Thu Feb 26 16:54:25 EST 2004
I switched the order in my nsswitch.conf file for group to "group: ldap
files". Now it works!! Thanks. Why does the order need to change? Could
it be because there is a empty group 'wheel' in the /etc/group file and
also a group 'wheel' also in LDAP? (In my test the sudo user has to be a
member of the group 'wheel'.)
--Ezsra
On Thu, 2004-02-26 at 13:12, Aaron Spangler wrote:
> Ezsra,
>
> If you don't want your sudoers to be in ldap, then ignore everything in
> README.LDAP. Just follow the normal sudo docs.
>
> If you already have unix groups in ldap, then I assume you already have
> this part working before you start using sudo. Sudo will use whatever
> unix groups you belong to when you run sudo. If you have nss_ldap mapping
> that back to LDAP, then sudo gets group information from LDAP. (See also
> Todd's notes at the end)
>
> Example, lets says that that "people" is an LDAP group and joe is a member.
>
> If you are logged in as joe, type 'id' (or 'id -a' on some systems)
> uid=19243(joe) gid=19243(joe) groups=1782(people)
>
> If you configure sudo to allow commands to the 'people' group, then joe
> can use those sudo commands.
>
> For more information on nss_ldap take a look at http://www.padl.com.
>
> -Aaron
>
>
> > In message <1077812541.8300.6.camel at brianv.ink.org>
> > so spake Ezsra McDonald (Ezsra_McDonald):
> >
> >> I grabbed 1.6.8 from the CVS last week and compiled it. I read the
> >> README.LDAP file. I really did not want to store my sudoers file in
> >> LDAP. I just want to have sudo use the unix groups I have stored in
> >> LDAP.
> >
> > This sounds like an OS config problem. Sudo doesn't do anything
> > special to get at group info--it just uses the standard getgrnam()
> > function. My guess is that your /etc/nsswitch.conf is incorrect,
> > but I don't actually use LDAP so I can't say for sure.
> >
> > If you have something like:
> > group: files ldap
> >
> > you might try reversing that order so that ldap is first.
> >
> > - todd
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
More information about the sudo-users
mailing list