[sudo-users] RE: sudo LDAP question

Tom Alessi toma at babycenter.com
Fri Aug 5 16:25:56 EDT 2005 

Thanks so much for getting back to me!

I must say I'm a little embarrassed.  After reading your email below, it
dawned on me that perhaps some groups were being duplicated (local and
LDAP) and this is the case.  Group 14 by default is built on linux as
uucp and this is also the LDAP group for %sysadmin in our environment.
We are new to linux so that's why we didn't catch this (we are 100%
Solaris and are migrating).  Sudo was not picking up on %sysadmin
membership because nsswitch is: files ldap.

I have removed the uucp group since its not needed and now its working!
This is really excellent work you've done with sudo/ldap, by the way and
much appreciated.

One other question if you have the time.  For the sudoHost: entry in
LDAP, how can we add multiple systems at once like we can in the sudoers
file?  I'm using a nisNetgroupTriple (with only the first variable
filled in) which works great with the ldap enabled sudo, but I'm
wondering if there is an easier way.

Tom Alessi

-----Original Message-----
From: Aaron Spangler [mailto:aaron777 at gmail.com] 
Sent: Friday, August 05, 2005 12:13 PM
To: Tom Alessi
Cc: sudo-users at sudo.ws
Subject: Re: sudo LDAP question

You are using RFC2307 posixGroups, so this should work.

Lets do some troubleshooting
Try typing 'id-a' from the unix command line.  It shoud list you as in
the sysadmin group:
groups=14(sysadmin)

If not, then make sure your /etc/nsswitch.conf contains 'group: files
ldap'

If linux is recognizing your groups, try adding 'sudoers_debug 2' to
your /etc/ldap.conf so we can look at your LDAP queries that are being
sent.  Please also include your 'id -a' output as well.

 -Aaron


On 8/5/05, Tom Alessi <toma at babycenter.com> wrote:
>  
> 
> Hi Aaron,
> 
> We are currently using sudo-1.6.8p9 (compiled with PAM and LDAP) on 
> RedHat Enterprise Linux 4.0 (Intel 64-bit).  We are running the 
> Openldap2.2.13-2 client (installed from RPM).
> 
> We cannot seem to get sudo to work with LDAP groups.  It works fine if

> we list individual users in the LDAP directory.
> 
> Here is a portion of the ldif: 
> 
> #####################################################
> dn: ou=groups,dc=example,dc=com
> objectClass: top
> objectClass: organizationalUnit
> description: Groups at Example.com
> ou: groups
> 
> dn: cn=group1,ou=groups,dc=example,dc=com
> cn: sysadmin
> objectClass: top
> objectClass: posixGroup
> gidNumber: 14
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
> 
> dn: ou=sudoers,dc=example,dc=com
> objectClass: top
> objectClass: organizationalUnit
> description: sudoers entries
> ou: sudoers
> 
> dn: cn=defaults,ou=sudoers,dc=example,dc=com
> cn: defaults
> objectClass: top
> objectClass: sudoRole
> description: Default sudoOption's go here
> sudoOption: !insults
> 
> dn: cn=role1,ou=sudoers,dc=example,dc=com
> cn: role1
> objectClass: top
> objectClass: sudoRole
> sudoUser: %sysadmin
> sudoHost: ALL
> sudoCommand: /bin/bash
> sudoCommand: /bin/ksh
> sudoCommand: /bin/zsh
> #####################################################
>  
> 
> If, in the above example, I add 
>         sudoUser: myuserid
> To the role1 cn, then everything works fine. 
> 
> Are we not able to use LDAP groups?  Any help or pointers you could 
> provide would be very much appreciated.
>  
> 
> Thank you,
>  
> 
> Tom Alessi, MCSE, CISSP
> Network Operations Manager
>  Johnson & Johnson, BabyCenter
>  415.344.7534

More information about the sudo-users mailing list