[sudo-users] Re: sudo LDAP question
Aaron Spangler
aaron777 at gmail.com
Fri Aug 5 15:12:47 EDT 2005
You are using RFC2307 posixGroups, so this should work.
Lets do some troubleshooting
Try typing 'id-a' from the unix command line. It shoud list you as in
the sysadmin group:
groups=14(sysadmin)
If not, then make sure your /etc/nsswitch.conf contains 'group: files ldap'
If linux is recognizing your groups, try adding 'sudoers_debug 2' to
your /etc/ldap.conf
so we can look at your LDAP queries that are being sent. Please also
include your 'id -a' output as well.
-Aaron
On 8/5/05, Tom Alessi <toma at babycenter.com> wrote:
>
>
> Hi Aaron,
>
> We are currently using sudo-1.6.8p9 (compiled with PAM and LDAP) on RedHat
> Enterprise Linux 4.0 (Intel 64-bit). We are running the Openldap2.2.13-2
> client (installed from RPM).
>
> We cannot seem to get sudo to work with LDAP groups. It works fine if we
> list individual users in the LDAP directory.
>
> Here is a portion of the ldif:
>
> #####################################################
> dn: ou=groups,dc=example,dc=com
> objectClass: top
> objectClass: organizationalUnit
> description: Groups at Example.com
> ou: groups
>
> dn: cn=group1,ou=groups,dc=example,dc=com
> cn: sysadmin
> objectClass: top
> objectClass: posixGroup
> gidNumber: 14
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
>
> dn: ou=sudoers,dc=example,dc=com
> objectClass: top
> objectClass: organizationalUnit
> description: sudoers entries
> ou: sudoers
>
> dn: cn=defaults,ou=sudoers,dc=example,dc=com
> cn: defaults
> objectClass: top
> objectClass: sudoRole
> description: Default sudoOption's go here
> sudoOption: !insults
>
> dn: cn=role1,ou=sudoers,dc=example,dc=com
> cn: role1
> objectClass: top
> objectClass: sudoRole
> sudoUser: %sysadmin
> sudoHost: ALL
> sudoCommand: /bin/bash
> sudoCommand: /bin/ksh
> sudoCommand: /bin/zsh
> #####################################################
>
>
> If, in the above example, I add
> sudoUser: myuserid
> To the role1 cn, then everything works fine.
>
> Are we not able to use LDAP groups? Any help or pointers you could provide
> would be very much appreciated.
>
>
> Thank you,
>
>
> Tom Alessi, MCSE, CISSP
> Network Operations Manager
> Johnson & Johnson, BabyCenter
> 415.344.7534
More information about the sudo-users
mailing list