[sudo-users] Sudo not referencing an LDAP group
Jesse Harmon
jesse.harmon at dillards.com
Wed Apr 12 16:07:49 EDT 2006
My current environment:
AIX 5.3
Tivoli Directory Server 6.0
sudo-1.6.7p5 --> /etc/sudoers
**This version of sudo is from the IBM AIX toolkit website
lsuser -R files USER1
3004-687 User "USER1" does not exist.
lsuser -R LDAP USER1
pgrp=staff groups=staff,wasgrp,dillards,rssgrp
lsgroup -R files staff
users=ipsec,sshd,wcsdb2,ldap,daemon
lsgroup -R files dillards
users=www
lsgroup -R files rssgrp
3004-686 Group "rssgrp" does not exist.
Here is my group layout:
LOCAL LDAP
staff staff
dillards dillards
rssgrp
In /etc/sudoers I have an entry as follows:
%?????? ALL=(ALL) NOPASSWD: COPYPLUGIN
I "su" into USER1 and execute the following command in 3 different
setups:
1) %dillards ALL=(ALL) NOPASSWD: COPYPLUGIN
--+ sudo -l asks for passwd
2) %staff ALL=(ALL) NOPASSWD: COPYPLUGIN
--+ sudo -l lists correctly
3) %rssgrp ALL=(ALL) NOPASSWD: COPYPLUGIN
--+ sudo -l lists correctly
What I can tell is that when a group exists both in /etc/group and in
LDAP this group must be the user's primary group in order for sudo to
list correctly. Note! The user only exists in the LDAP group and not in
the local group. If the group only exists in LDAP the group can be
either the user's primary or secondary group and sudo will list
correctly. I am unable to remove the local "dillards" group. Is there
anyway to configure sudo to work in this environment without removing
the local representation of the "group."
Thanks,
--
Jesse Harmon
Unix Administrator
1600 Cantrell Road
Little Rock, AR 72201
(501) 379-5715
More information about the sudo-users
mailing list