[sudo-users] sudo - LDAP and netgroups

Andreas Hasenack ahasenack at terra.com.br
Thu Oct 11 12:15:55 EDT 2007

Em Qui, 2007-10-11 às 17:29 +0200, Jo De Troy escreveu:
> Hello,
> I'm pretty new to netgroups and sudo integration with LDAP.
> I've setup sudo with LDAP integration on CentOS.
> I've created an LDAP entry
> dn: cn=role1,ou=sudoers,dc=example,dc=com
> objectClass: top
> objectClas: sudoRole
> cn: role1
> sudoUser: jdoe
> sudoHost: ALL
> sudoCommand: ALL
> and that seems to work. When I try to use a netgroup
> dn: cn=LinuxAdmins,ou=netgroup,dc=example,dc=com
> cn=LinuxAdmins
> objectClass: top
> objectClass: nisnetgroup
> nisNetgroupTriple: (-,jdoe,-)
> it doesn't.
> I login as jdoe on the specific host and execute sudo -l
> I see the config stuff since the debug mode is 2 and the 3 searches
> sudo does (specific user, group member and netgroup) It does find the
> netgroup entry but sudo says jdoe is not allowed.

Keeping the role1 entry the same, sudo -l now doesn't allow you? Or did
you change "sudoUser: jdoe" to "sudoUser: +LinuxAdmins" and then try it?

Also, make sure /etc/nsswitch.conf is setup to use ldap for netgroups.
For example, this command has to return your netgroup:

getent netgroup LinuxAdmins

More information about the sudo-users mailing list