[sudo-users] Fwd: Sudo and LDAP
Aaron Spangler
aaron777 at gmail.com
Wed Aug 24 13:00:04 EDT 2005
---------- Forwarded message ----------
From: Aaron Spangler <aaron777 at gmail.com>
Date: Aug 24, 2005 12:59 PM
Subject: Re: Sudo and LDAP
To: Jay Ar <jayarftrd at yahoo.fr>
Sounds like Sudo is reading a different ldap.conf.
Try running strings on your sudo binary to find where the configuration file is.
# strings < /usr/bin/sudo | grep ldap | grep /
If you don't get anything related to ldap, then your version of sudo
was not compiled --with-ldap.
Try recompiling sudo --with-ldap --with-pam if this is the case.
The default sudo ldap configuration file is /etc/ldap.conf.
Hope this helps.
- Aaron
On 8/24/05, Jay Ar <jayarftrd at yahoo.fr> wrote:
> hello Aaron,
>
> thanks for your quick reply!
> actually, you helped me at least know that the
> authentication part is working just fine on my
> machines.
>
> nevertheless, I still have problems replacing
> /etc/sudoers with ldap. sudo-l returns only the
> entries from the local /etc/sudoers.
> actually, I used the sudoers2ldif script to create an
> LDIF file that I imported into my ldap server.
>
> in my /etc/ldap/ldap.conf (I'm on debian, it's the
> equivalent of /etc/ldap.conf), I have these entries:
>
> ***ldap.conf************
> URI ldap://my_ldap_server/
> sudoers_base ou=SUDOers,dc=my,dc=base,dc=blablabla
> sudoers_debug 1
> ************************
>
> my /etc/pam.d/sudo looks like this:
>
> *********sudo**********
> auth sufficient pam_ldap.so
> account sufficient pam_ldap.so
> password sufficient pam_ldap.so
> session sufficient pam_ldap.so
> **********************
>
> any idea as to why this could be happening? I mean,
> authentication works fine, why shouldn't the sudo
> roles issue too?
> if I get this to work, I will be happy to privide you
> with the appropriate debian package.
>
> Jay
>
>
> --- Aaron Spangler <aaron777 at gmail.com> a écrit :
>
> > Hi Jay,
> >
> > Sudo uses LDAP for two purposes:
> > 1) Authentication (is the password that you typed
> > the correct password?)
> > 2) Sudo Roles (the equivilent of stuffing
> > /etc/sudoers into a container in LDAP)
> >
> > The two purposes are not related. So lets deal with
> > them one at a time.
> >
> > 1) Authentication.
> > It turns out that for authentication Sudo does not
> > talk with ldap
> > directly. Rather it uses PAM. PAM then talks with
> > LDAP via pam_ldap.
> > So sudo -V is supposed to say 'pam'. Also your
> > /etc/pam.d/sudo file
> > points to pam_ldap. Pam_ldap reads /etc/ldap.conf
> > to locate your ldap
> > server.
> >
> > $ sudo -V|head
> > Sudo version 1.6.8p9
> > Authentication methods: 'pam'
> >
> > So if Sudo accepts your password as it is in LDAP,
> > then this part is
> > working. If not, review your settings in
> > /etc/ldap.conf. Pam_ldap is
> > a component found in http://www.padl.com
> > Strictly speaking pam_ldap is supported by its own
> > mailing list, so if
> > you cant get this part working I recommend checking
> > out the padl.com
> > website and subscribe to the mailing list there.
> >
> > 2) Sudo Roles.
> > This is the part where Sudo talks with the LDAP
> > server directly. Note
> > that this is optional. Many folks are happy with
> > storing all the sudo
> > information in /etc/sudoers. But if you want to do
> > it, use the
> > sudoers2ldif script to create an LDIF file that can
> > be imported into
> > your LDAP server. Note that sudo also reads
> > /etc/ldap.conf to locate
> > your ldap server.
> >
> > If you do a 'sudo -l' and it returns roles listed
> > from LDAP, then this
> > part is working
> >
> > By default sudo looks for roles in LDAP first and if
> > it does not find
> > a match it then checks /etc/sudoers. If you want to
> > turn off
> > /etc/sudoers altogether, adding this attribute to
> > your object (named
> > cn=defaults) in the sudoers container.
> >
> > cn=defaults, ou=sudoers, ou=xxx, ...
> > ...
> > sudoOption: ignore_local_sudoers
> >
> > The ignore_local_sudoers option tells sudo to not
> > look for an
> > /etc/sudoers file at all.
> >
> >
> > I hope this information helps. Please let me know
> > if I can provide more.
> >
> > -Aaron
> >
> > On 8/24/05, Jay Ar <jayarftrd at yahoo.fr> wrote:
> > > hello,
> > >
> > > I have an ldap server (tls) and would like to
> > bring
> > > sudo to work with it. that means, sudo would no
> > longer
> > > look in /etc/sudoers, but in my ldap server.
> > > Now I have followed the instructions on
> > > http://www.sudo.ws/sudo/readme_ldap.html, but to
> > no
> > > vail.. although the command sudo -V|head tells me
> > that
> > > sudo is using pam to authenticate:
> > > ******************
> > > # sudo -V|head
> > >
> > > Sudo version 1.6.8p9
> > >
> > > Authentication methods: 'pam'
> > > Syslog facility if syslog is being used for
> > logging:
> > > local2
> > > Syslog priority to use when user authenticates
> > > successfully: notice
> > > Syslog priority to use when user authenticates
> > > unsuccessfully: alert
> > > Send mail if the user is not in sudoers
> > > Lecture user the first time they run sudo
> > > Require users to authenticate by default
> > > Root may run sudo
> > > ********************
> > >
> > > my /etc/pam.d/sudo looks like this:
> > >
> > > auth required pam_ldap.so
> > > account required pam_ldap.so
> > > password required pam_ldap.so
> > > session required pam_ldap.so
> > >
> > > my ldap server is working, it's the sudo that is
> > > causing all the problems, since if I remove the
> > > /etc/sudoers file, it complains...
> > >
> > > any ideas???
> > >
> > > thanks,
> > > Jay Ar
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ___________________________________________________________________________
> > > Appel audio GRATUIT partout dans le monde avec le
> > nouveau Yahoo! Messenger
> > > Téléchargez cette version sur
> > http://fr.messenger.yahoo.com
> > >
> >
>
>
>
>
>
>
>
> ___________________________________________________________________________
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
> Téléchargez cette version sur http://fr.messenger.yahoo.com
>
More information about the sudo-users
mailing list