[sudo-users] sudo - LDAP and netgroups

Jo De Troy jo.de.troy at gmail.com
Thu Oct 11 11:29:08 EDT 2007


I'm pretty new to netgroups and sudo integration with LDAP.
I've setup sudo with LDAP integration on CentOS.
I've created an LDAP entry
dn: cn=role1,ou=sudoers,dc=example,dc=com
objectClass: top
objectClas: sudoRole
cn: role1
sudoUser: jdoe
sudoHost: ALL
sudoCommand: ALL

and that seems to work. When I try to use a netgroup
dn: cn=LinuxAdmins,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisnetgroup
nisNetgroupTriple: (-,jdoe,-)

it doesn't.
I login as jdoe on the specific host and execute sudo -l
I see the config stuff since the debug mode is 2 and the 3 searches
sudo does (specific user, group member and netgroup) It does find the
netgroup entry but sudo says jdoe is not allowed.

Any ideas what might be wrong? Is it the netgroup that's wrong?
I typically use 2 netgroups, 1 for users and 1 for hosts. I limit
access to hosts using the netgroups and pam_access. And that works
fine, so I thought the netgroup is working fine.
I'm running the sudo release 1.6.8p12-10 from CentOs5 (=RHEL5).

Best Regards,

More information about the sudo-users mailing list