[sudo-users] is not allowed to execute '/bin/su -' as root

[Jeremy Hansen]

I'm attempting to setup sudo control via ldap.  I seem to have most pieces
worked out but yet I'm unable to get sudo to allow my user to actually run
things.

Here's the info:

My defaults

dn: cn=defaults,ou=SUDOers,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers

User entry

dn: cn=jhansen,ou=SUDOers,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: jhansen
sudoUser: jhansen
sudoHost: ALL
sudoCommand: (ALL) ALL

Here is my output when I just try to do sudo su - as user jhansen

[jhansen at z000009 ~]$ sudo su -
LDAP Config Summary
===================
host         z000009.blah.com
port         389
ldap_version 3
sudoers_base ou=SUDOers,dc=blah,dc=com
binddn       (anonymous)
bindpw       (anonymous)
ssl          start_tls
===================
ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
ldap_init(z000009.blah.com,389)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_start_tls_s() ok
ldap_bind() ok
found:cn=defaults,ou=SUDOers,dc=blah,dc=com
ldap sudoOption: 'ignore_local_sudoers'
ldap search 
'(|(sudoUser=jhansen)(sudoUser=%jhansen)(sudoUser=%jhansen)(sudoUser=ALL))'
found:cn=jhansen,ou=SUDOers,dc=blah,dc=com
ldap sudoHost 'ALL' ... MATCH!
ldap sudoCommand '(ALL) ALL' ... not
ldap search 'sudoUser=+*'
user_matches=-1
host_matches=-1
sudo_ldap_check(0)=0x04
Password:
Sorry, user jhansen is not allowed to execute '/bin/su -' as root on
z000009.blah.com.

The session looks as if it finds my user, says there's a match, but it seems
to get something wrong on the sudoCommand entry...

Not really sure what's going on at this point.

My /etc/pam.d/sudo

auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

Any helps is appreciated.

Thanks
-jeremy