Fwd: [sudo-users] sudo & LDAP (not working)

Aaron Spangler aaron777 at gmail.com
Wed Mar 9 21:37:59 EST 2005 

The RunAs user did not match.  By default Sudo allows non-root users
to run stuff as root.  If you want root to run as a user other than
root, add 'sudoRunAs: chris'  or  'sudoRunAs: ALL' to the role
cn=root,ou=Sudoers,o=TSYS,c=US.

Hope this helps.
 -Aaron


On Tue, 08 Mar 2005 17:18:01 -0500, Chris Martino
<Chris.Martino at tsysprepaid.com> wrote:
> Hello,
>
> I'm trying to get sudoers into LDAP and I'm mostly there.  Everything has
> been ported across and /etc/ldap.conf setup but testing it with a simple
> 'sudo -u user ls' fails.  Here's my output:
>
> server:/home/chris # sudo -u chris ls
> LDAP Config Summary
> ===================
> host         127.0.0.1
> port         389
> ldap_version 3
> sudoers_base ou=Sudoers,o=TSYS,c=US
> binddn       (anonymous)
> bindpw       (anonymous)
> ssl          on
> ===================
> ldap_init(127.0.0.1,389)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_bind() ok
> found:cn=defaults,ou=Sudoers,o=TSYS,c=US
> ldap sudoOption: 'ignore_local_sudoers'
> ldap search
> '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%root)(sudoUser=%wheel)(sudoUser=%wheel)(sudoUser=%priv)(sudoUser=%pkcs11)(sudoUser=%pkcs11)(sudoUser=%perldb2)(sudoUser=ALL))'
> found:cn=root,ou=Sudoers,o=TSYS,c=US
> ldap sudoHost 'ALL' ... MATCH!
> ldap sudoCommand 'ALL' ... MATCH!
> ldap search 'sudoUser=+*'
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(0)=0x04
> Sorry, user root is not allowed to execute '/bin/ls' as chris on server.
>
> Any ideas what's going on here?  Here's what my LDAP schema looks like for
> the sudoers OU:
>
> # Sudoers, TSYS, US
> dn: ou=Sudoers,o=TSYS,c=US
> ou: Sudoers
> objectClass: top
> objectClass: organizationalUnit
>
> # defaults, Sudoers, TSYS, US
> dn: cn=defaults,ou=Sudoers,o=TSYS,c=US
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> sudoOption: ignore_local_sudoers
>
> # root, Sudoers, TSYS, US
> dn: cn=root,ou=Sudoers,o=TSYS,c=US
> objectClass: top
> objectClass: sudoRole
> cn: root
> sudoUser: root
> sudoHost: ALL
> sudoCommand: ALL
>
> # %users, Sudoers, TSYS, US
> dn: cn=%users,ou=Sudoers,o=TSYS,c=US
> objectClass: top
> objectClass: sudoRole
> cn: %users
> sudoUser: %users
> sudoHost: ALL
> sudoCommand: ALL
>
> Any help is greatly appreciated!
>
> Thanks,
> Chris
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list