[sudo-users] Ldap Groups - Resolution
David Blackburn
hxor666 at gmail.com
Wed May 4 07:59:20 EDT 2005
Hi
Thanks for your help I have resolved the issue now, I had not setup
the nssswitch and correct group's up.
To resolve this I created a nisGroup within a ou within the basedn. I
also changed the nsswitch.conf to lookup on ldap for netgroup,passwd
and shadow.
I also added + at netgroup to /etc/passwd and /etc/shadow
Thanks
Dave
On 5/4/05, David Blackburn <hxor666 at gmail.com> wrote:
> Thanks for all your help, I have gone over your instructions but am
> still having problems, I created a posixGroup, netgroups and sudorole
> with just a group of users.
>
> Unless the user is in the sudoers schema I dont get any joy, Huibert
> your info was very helpfully but at the end, its a little unclear how
> sudo finds the actual user to verify on.
>
> i.e. does the nsswtich have to be configured to retreive the user from
> the group, or how do I put a link in from the sudoRole statement, to
> point to the group that sudo will then pickup on.
>
> All the methods I have tried so far never get a user match unless the
> user is in the sudoRole statement.
>
> found:cn=defaults,ou=sudoers,dc=blah,dc=net
> ldap search '(|(sudoUser=blackburnd)(sudoUser=%blackburnd)(sudoUser=%blackburnd)(sudoUser=ALL))'
> ldap search 'sudoUser=+*'
> user_matches=0
> host_matches=0
>
>
> On 4/28/05, Huibert.Kivits at mail.ing.nl <Huibert.Kivits at mail.ing.nl> wrote:
> > Yes, indeed.
> >
> > Dave created an entry for a group in LDAP, under which he added subentries for users.
> > However, users should not be added as a subentry to the group. You should do something like the following:
> > - select the group you want to add a user to.
> > - add a new attribute to this group, i.e. the attribute "memberUid"
> > - you now have to enter a value for this attribute. Enter the name of the username. The common name "johndoe" is sufficient. There is no need to enter the distinguished name (dn=johndoe,ou=... Etcetera).
> > - you can add multiple users to a group by adding the memberUid-attribute multiple times.
> > - This way, you can authorize a group for the sudo, instead of individual users.
> >
> > Managing SUDO-authorizations from within LDAP does not require that users exist in LDAP. This applies both to the user under which the sudo runs (the value of the sudoRunas-attribute) and to the userid's that use SUDO. It is perfectly possible for a local user to use SUDO-authorizations that are managed via LDAP.
> >
> > Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
> >
> > Huibert Kivits
> >
> > -----Oorspronkelijk bericht-----
> > Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Aaron Spangler
> > Verzonden: woensdag 27 april 2005 18:10
> > Aan: David Blackburn
> > CC: sudo-users at sudo.ws
> > Onderwerp: Re: [sudo-users] Ldap Groups
> >
> >
> > The sudouser has syntax similar to the RFC2307 attributes. It does not use the full LDAP Distringuished Name.
> >
> > Use the short username in the sudoUser attribute:
> >
> > sudoUser: unixuser1
> > -or-
> > sudoUser: %unixgroup1
> > -or-
> > sudoUser: +netgroup1
> >
> > The unixuser1, unixgroup1, or netgroup1 should be available from the servers perspective and do not necessarily need to exist in LDAP. If they do exist in LDAP, then they should follow RFC2307 syntax.
> >
> > On 4/25/05, David Blackburn <hxor666 at gmail.com> wrote:
> > > Hi
> > >
> > > I have Ldap sudo auth working, but I need to setup the sudoUser's into
> > > groups, I have used the Posix users schema and point sudoUser to the
> > > below.
> > >
> > > sudoUser points to
> > > cn=memberUid,ou=sudoUserGroups,ou=sudoers,dc=blah,dc=net
> > >
> > > Where memberUid is the id of the users I want to use. If I remove the
> > > above and put my user ID in this works.
> > >
> > > Please note I am quite new with ldap and my be missing something quite
> > > basic.
> > >
> > > Thanks
> > > Dave
> > >
> > > ____________________________________________________________
> > > sudo-users mailing list <sudo-users at sudo.ws>
> > > For list information, options, or to unsubscribe, visit:
> > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > >
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> > -----------------------------------------------------------------
> > ATTENTION:
> > The information in this electronic mail message is private and
> > confidential, and only intended for the addressee. Should you
> > receive this message by mistake, you are hereby notified that
> > any disclosure, reproduction, distribution or use of this
> > message is strictly prohibited. Please inform the sender by
> > reply transmission and delete the message without copying or
> > opening it.
> >
> > Messages and attachments are scanned for all viruses known.
> > If this message contains password-protected attachments, the
> > files have NOT been scanned for viruses by the ING mail domain.
> > Always scan attachments before opening them.
> > -----------------------------------------------------------------
> >
> >
>
More information about the sudo-users
mailing list