[sudo-users] Re: sudo LDAP question

Aaron Spangler aaron777 at gmail.com
Fri Aug 5 15:12:47 EDT 2005 

You are using RFC2307 posixGroups, so this should work.

Lets do some troubleshooting
Try typing 'id-a' from the unix command line.  It shoud list you as in
the sysadmin group:
groups=14(sysadmin)

If not, then make sure your /etc/nsswitch.conf contains 'group: files ldap'

If linux is recognizing your groups, try adding 'sudoers_debug 2' to
your /etc/ldap.conf
so we can look at your LDAP queries that are being sent.  Please also
include your 'id -a' output as well.

 -Aaron


On 8/5/05, Tom Alessi <toma at babycenter.com> wrote:
>  
> 
> Hi Aaron, 
> 
> We are currently using sudo-1.6.8p9 (compiled with PAM and LDAP) on RedHat
> Enterprise Linux 4.0 (Intel 64-bit).  We are running the Openldap2.2.13-2
> client (installed from RPM). 
> 
> We cannot seem to get sudo to work with LDAP groups.  It works fine if we
> list individual users in the LDAP directory. 
> 
> Here is a portion of the ldif: 
> 
> ##################################################### 
> dn: ou=groups,dc=example,dc=com 
> objectClass: top 
> objectClass: organizationalUnit 
> description: Groups at Example.com 
> ou: groups 
> 
> dn: cn=group1,ou=groups,dc=example,dc=com 
> cn: sysadmin 
> objectClass: top 
> objectClass: posixGroup 
> gidNumber: 14 
> memberUid: user1 
> memberUid: user2 
> memberUid: user3 
> memberUid: user4 
> 
> dn: ou=sudoers,dc=example,dc=com 
> objectClass: top 
> objectClass: organizationalUnit 
> description: sudoers entries 
> ou: sudoers 
> 
> dn: cn=defaults,ou=sudoers,dc=example,dc=com 
> cn: defaults 
> objectClass: top 
> objectClass: sudoRole 
> description: Default sudoOption's go here 
> sudoOption: !insults 
> 
> dn: cn=role1,ou=sudoers,dc=example,dc=com 
> cn: role1 
> objectClass: top 
> objectClass: sudoRole 
> sudoUser: %sysadmin 
> sudoHost: ALL 
> sudoCommand: /bin/bash 
> sudoCommand: /bin/ksh 
> sudoCommand: /bin/zsh 
> ##################################################### 
>  
> 
> If, in the above example, I add 
>         sudoUser: myuserid 
> To the role1 cn, then everything works fine. 
> 
> Are we not able to use LDAP groups?  Any help or pointers you could provide
> would be very much appreciated. 
>  
> 
> Thank you, 
>  
> 
> Tom Alessi, MCSE, CISSP 
> Network Operations Manager
>  Johnson & Johnson, BabyCenter
>  415.344.7534

More information about the sudo-users mailing list