[sudo-users] sudo ldap not working

John Tran vectorz2 at gmail.com
Fri Feb 23 17:13:07 EST 2007 

Hey all, I figured out the compiling problem was due to not having
openldap-devel package.  Got that fixed, so now sudo is installed and ldap
seems to be configured just right but it's not working.

When I do sudo -l I can see that it picks up the netgroup correctly and I
even see priveleges, yet it won't let me sudo.


[jtran at optimus ~]$ sudo -l
Password:
User jtran may run the following commands on this host:

LDAP Role: jtran
  Commands:
    (ALL) ALL
[jtran at optimus ~]$ sudo cat /etc/shadow
jtran is not in the sudoers file.  This incident will be reported.

** Also how do I turn on sudo -l debug?  I saw this output in one of the
archive mail-list:

http://www.gratisoft.us/pipermail/sudo-workers/2004-August/000372.html

>* And the results of sudo -l with debugging enabled:
*>* [cds12118:~] jacobp% sudo -l
*>* LDAP Config Summary
*>* ===================
*>* host         158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
*>* 158.140.143.59
*>* port         389
*>* ldap_version 3
*>* uri          (NONE)
*>* sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
*>* binddn       cn=proxyagent,ou=profile,o=cadence.com
*>* bindpw       proxy
*>* ===================
*>* ldap_init(158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
*>* 158.140.143.59,389)
*>* ldap_bind() ok
*>* found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
*>* ldap sudoOption: 'ignore_local_sudoers'
*>* ldap search
*>* '(|(sudoUser=jacobp)(sudoUser=%cadence1)(sudoUser=%cadence1)(sudoUser=%c
*>* vsaccess)(sudoUser=%itadmins)(sudoUser=ALL))'
*>* found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
*>* ldap sudoHost 'ALL' ... MATCH!
*>* ldap search 'sudoUser=+*'
*>* user_matches=-1
*>* host_matches=-1
*>* sudo_ldap_check(50)=0x02
*>* User jacobp may run the following commands on this host:
*>*
*>* LDAP Role: Admins
*>*   Commands:
*>*     !/usr/bin/vi /etc/passwd
*>*     !/usr/bin/vi /etc/shadow
*>*     !/usr/bin/vi /etc/ldap.conf
*>*     !sudoedit /etc/passwd
*>*     !sudoedit /etc/shadow
*>*     !sudoedit /etc/ldap.conf
*>*     !sudoedit /etc/nsswitch.conf
*>*     !/usr/sbin/ldapclient
*>*     !/bin/sh
*>*     !/bin/bash
*>*     !/bin/ksh
*>*     !/bin/tcsh
*>*     !/bin/csh
*>*     !/bin/su
*>*     !/grid/common/bin/tcsh
*>*     !/grid/common/bin/bash
*>*     !/usr/ngnu/bin/tcsh
*>*     !/usr/ngnu/bin/bash
*>*     !xterm
*>*     ALL
*>* [cds12118:~] jacobp%
*

More information about the sudo-users mailing list