[sudo-users] Problem with Sudo-LDAP
Jayson Henkel
jhenkel at sterlingcrane.com
Tue Mar 21 11:15:21 EST 2006
I'm currently
trying to implement the sudo-ldap modification to sudo. This
will be a
big benefit to myself. However, I am having some difficulties
implementing it.
I have turned debugging on and get the following information
when I run
sudo from root:
LDAP Config Summary
===================
uri ldaps://ldap.sterlingcrane.ca
ldaps://ldap2.sterlingcrane.ca
ldap_version 3
sudoers_base ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
binddn (anonymous)
bindpw (anonymous)
ssl (no)
===================
ldap_initialize(ld,ldaps://ldap.sterlingcrane.ca
ldaps://ldap2.sterlingcrane.ca)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_simple_bind_s()=81 : Can't contact LDAP server
usage: sudo -K | -L | -V | -h | -k | -l | -v
usage: sudo [-HPSb] [-p prompt] [-u username|#uid]
{ -e file [...] | -i | -s | <command> }
When I run it from a normal user I receive the following.
jhenkel at ruto:/usr/share/doc/sudo-ldap$ sudo passwd foo
sudo: uid 1039 does not exist in the passwd file!
jhenkel at ruto:/usr/share/doc/sudo-ldap$ sendmail: fatal: no login
name
found for user ID 1039
However, please review the following:
jhenkel at ruto:/usr/share/doc/sudo-ldap$ getent passwd 1039
jhenkel:x:1039:1000:Jayson Henkel:/home/jhenkel:/bin/bash
Keep in mind, all my user information is in ldap and no files
are local,
therefor ldap is working. See below for examples of both TLS and
LDAPS
jhenkel at ruto:/usr/share/doc/sudo-ldap$ ldapsearch -x -ZZ -h
ldap.sterlingcrane.ca uid=jhenkel dn
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=jhenkel
# requesting: dn
#
# jhenkel, staff, people, sterlingcrane.ca
dn: uid=jhenkel,ou=staff,ou=people,dc=sterlingcrane,dc=ca
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
jhenkel at ruto:/usr/share/doc/sudo-ldap$ ldapsearch -x -H
ldaps://ldap.sterlingcrane.ca uid=jhenkel dn
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=jhenkel
# requesting: dn
#
# jhenkel, staff, people, sterlingcrane.ca
dn: uid=jhenkel,ou=staff,ou=people,dc=sterlingcrane,dc=ca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
jhenkel at ruto:/usr/share/doc/sudo-ldap$
When I sniff traffic on the ldap interface, I can clearly see
that when
I type sudo that ldap traffic is generated on the ldaps (636)
port.
Here's my ldap.conf too in case it helps.
BASE dc=sterlingcrane,dc=ca
URI ldaps://ldap.sterlingcrane.ca
ldaps://ldap2.sterlingcrane.ca
#URI ldap://localhost
TLS_CACERT /etc/ssl/certs/CA.crt
#TLS_REQCERT allow
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#SUDO Control
sudoers_base ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
sudoers_debug 2
Can you offer any advice on how to resolve this?
Thanks in advance..
--
Regards,
Jayson D. Henkel
Systems Manager
(Tel: +1 (780) 440-4434)
(Fax: +1 (780) 440-1951)
(Cell: +1 (780) 886-8941)
(E-Mail: jhenkel at sterlingcrane.com)
Sterling Crane
P.O. Box 8610. Station South
Edmonton, Alberta
Canada. T6E 6R2
------------------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. If you are not the intended recipient of this message you are
hereby notified that any use, review, retransmission ,
dissemination,distribution, reproduction or any action taken in reliance
upon this message is prohibited. If you received this in error, please
contact the sender and delete the material from any computer. Any views
expressed in this message are those of the individual sender and may not
necessarily reflect the views of the company.
More information about the sudo-users
mailing list