[sudo-users] Re: Sudo and LDAP

Aaron Spangler aaron777 at gmail.com
Wed Aug 24 09:29:09 EDT 2005

Hi Jay,

Sudo uses LDAP for two purposes:
1) Authentication (is the password that you typed the correct password?)
2) Sudo Roles (the equivilent of stuffing /etc/sudoers into a container in LDAP)

The two purposes are not related.  So lets deal with them one at a time.

1) Authentication.
It turns out that for authentication Sudo does not talk with ldap
directly.  Rather it uses PAM.  PAM then talks with LDAP via pam_ldap.
 So sudo -V is supposed to say 'pam'.  Also your /etc/pam.d/sudo file
points to pam_ldap.  Pam_ldap reads /etc/ldap.conf to locate your ldap

  $ sudo -V|head
  Sudo version 1.6.8p9
  Authentication methods: 'pam'

So if Sudo accepts your password as it is in LDAP, then this part is
working.  If not, review your settings in /etc/ldap.conf.  Pam_ldap is
a component found in http://www.padl.com
Strictly speaking pam_ldap is supported by its own mailing list, so if
you cant get this part working I recommend checking out the padl.com
website and subscribe to the mailing list there.

2) Sudo Roles.
This is the part where Sudo talks with the LDAP server directly.  Note
that this is optional.  Many folks are happy with storing all the sudo
information in /etc/sudoers.  But if you want to do it, use the
sudoers2ldif script to create an LDIF file that can be imported into
your LDAP server.  Note that sudo also reads /etc/ldap.conf to locate
your ldap server.

If you do a 'sudo -l' and it returns roles listed from LDAP, then this
part is working

By default sudo looks for roles in LDAP first and if it does not find
a match it then checks /etc/sudoers.  If you want to turn off
/etc/sudoers altogether, adding this attribute to your object (named
cn=defaults) in the sudoers container.

cn=defaults, ou=sudoers, ou=xxx,  ...
sudoOption: ignore_local_sudoers

The ignore_local_sudoers option tells sudo to not look for an
/etc/sudoers file at all.

I hope this information helps.  Please let me know if I can provide more.


On 8/24/05, Jay Ar <jayarftrd at yahoo.fr> wrote:
> hello,
> I have an ldap server (tls) and would like to bring
> sudo to work with it. that means, sudo would no longer
> look in /etc/sudoers, but in my ldap server.
> Now I have followed the instructions on
> http://www.sudo.ws/sudo/readme_ldap.html, but to no
> vail.. although the command sudo -V|head tells me that
> sudo is using pam to authenticate:
> ******************
> # sudo -V|head
> Sudo version 1.6.8p9
> Authentication methods: 'pam'
> Syslog facility if syslog is being used for logging:
> local2
> Syslog priority to use when user authenticates
> successfully: notice
> Syslog priority to use when user authenticates
> unsuccessfully: alert
> Send mail if the user is not in sudoers
> Lecture user the first time they run sudo
> Require users to authenticate by default
> Root may run sudo
> ********************
> my /etc/pam.d/sudo looks like this:
> auth    required       pam_ldap.so
> account    required     pam_ldap.so
> password   required     pam_ldap.so
> session    required     pam_ldap.so
> my ldap server is working, it's the sudo that is
> causing all the problems, since if I remove the
> /etc/sudoers file, it complains...
> any ideas???
> thanks,
> Jay Ar
> ___________________________________________________________________________
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
> Téléchargez cette version sur http://fr.messenger.yahoo.com

More information about the sudo-users mailing list