[sudo-users] store sudo config in LDAP with NDS 6.1 on HPUX 11i

Aaron Spangler aaron777 at gmail.com
Fri Jun 3 09:43:34 EDT 2005

Don't worry about HP-UX not using /etc/ldap.conf.  Solaris & AIX don't
either.  You should be able to create an /etc/ldap.conf.  The
README.LDAP file should contain an example of  what goes in there. 
Mimally you should define 'host' which points to your LDAP server.  If
you are using a different port rather than 389, override the port
using the 'port' option.  When using the Netscape API, do not specify
the 'uri' option.  If you don't allow anonymous binds or you have
restricted read access on the sudoers container, you will need to
specify the 'binddn' and 'bindpw' options.

Also you MUST specify the sudoers_base option with the contain that
holds your sudoers information.

When it comes time to put the information into your ldap server you
will need to first exend your schema using the sudoers schema (see the
README.LDAP).  Second you will need to actually put the data in.  (You
can use the sudoers2ldif program to give you example data.  It does
not work perfectly yet).

I hope all this information helps.  Please let us know if you need more.


On 6/2/05, Mark Benschop <mark at mbfk.net> wrote:
> Hi All,
> I'm running a HPUX 11i server with Netscape Directory Server 6.1 and
> the following HPUX client software :
> 4269AA   B.03.10  LDAP-UX Integration
> This contains all the PAM and NSS modules and ldapclient to connect to an
> LDAPserver.
> I've compiled sudo 1.6.8p8 with pam and ldap support.
> (I've attached the compilation options below in the email.)
> It's all running fine, i can run sudo as a user that's stored in LDAP and
> everything.
> What I want to do next is store sudo's configuration in LDAP.
> I'm using NetscapeDirectoryServer 6.1 also supplied by HP by the way.
> I successfully loaded the 'Iplanet'sudo-schema that comes with the sudo
> sources.
> Now in the README.LDAP it says that I have to add :
> sudoers_base   ou=SUDOers,dc=example,dc=com
> to the /etc/ldap.conf file.
> The thing is there's no /etc/ldap.conf file on my system.
> Apparently the LDAPUX software doesn't use one.
> Does anyone know where the sudoers_base line must be put on my HPUX 11i
> system ?
> Thanks for your answer,
> Mark
> Compilation :
> ==============
> ./configure --with-pam \
> --with-ldap=/opt/ldapux/source/mozilla/directory/c-sdk/ldap
> in order for it to compile properly I had to adapt the Makefile as follows :
> SUDO_LIBS =  -lsec -lpam -ldap  $(LIBS) $(NET_LIBS)
> changed to
> SUDO_LIBS =  -lsec -lpam -lldapssl30  $(LIBS) $(NET_LIBS)
> This since the 'LDAPUX software' that comes with HPUX 11i and contains the
> neccesary PAM and NSS modules and some lib's and binaries has no library
> named 'libldap' but it's named libldapssl30.
> After I linked the following
> ln -s /opt/ldapux/lib/libssl30.sl /usr/lib/libssl30.sl
> I could compile as follows :
> gmake LDFLAGS="-L/opt/ldapux/lib"
> and did a gmake install.
> this resulted in a properly working sudo, where I can run sudo as a user
> that exists in LDAP using /etc/sudoers.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list