[sudo-users] sudo - LDAP and netgroups

Jo De Troy jo.de.troy at gmail.com
Thu Oct 11 15:38:34 EDT 2007


Hello Andreas,

with the sudoRole as is sudoUser: jdoe it works. But when I switch the
sudoUser to +LinuxAdmins is fails.
The nsswitch.conf is set up correctly I can query the netgroup with
the getent command. Could this be a RedHat/CentOs specific bug? Or is
it related to the version of sudo?
On the LDAP server side I see the query coming in all right, I also
saw that with the debugmode on in /etc/ldap.conf. Sudo finds the
netgroups but for some reason it does not see the entries in the
netgroups or fails to find the entry of the user running sudo -l.
Any ideas? How could I debug further? I already have sudoers_debug 3
in the /etc/ldap.conf.

Thanks again,
Jo

On 11/10/2007, Andreas Hasenack <ahasenack at terra.com.br> wrote:
>
> Em Qui, 2007-10-11 às 17:29 +0200, Jo De Troy escreveu:
> > Hello,
> >
> > I'm pretty new to netgroups and sudo integration with LDAP.
> > I've setup sudo with LDAP integration on CentOS.
> > I've created an LDAP entry
> > dn: cn=role1,ou=sudoers,dc=example,dc=com
> > objectClass: top
> > objectClas: sudoRole
> > cn: role1
> > sudoUser: jdoe
> > sudoHost: ALL
> > sudoCommand: ALL
> >
> > and that seems to work. When I try to use a netgroup
> > dn: cn=LinuxAdmins,ou=netgroup,dc=example,dc=com
> > cn=LinuxAdmins
> > objectClass: top
> > objectClass: nisnetgroup
> > nisNetgroupTriple: (-,jdoe,-)
> >
> > it doesn't.
> > I login as jdoe on the specific host and execute sudo -l
> > I see the config stuff since the debug mode is 2 and the 3 searches
> > sudo does (specific user, group member and netgroup) It does find the
> > netgroup entry but sudo says jdoe is not allowed.
>
> Keeping the role1 entry the same, sudo -l now doesn't allow you? Or did
> you change "sudoUser: jdoe" to "sudoUser: +LinuxAdmins" and then try it?
>
> Also, make sure /etc/nsswitch.conf is setup to use ldap for netgroups.
> For example, this command has to return your netgroup:
>
> getent netgroup LinuxAdmins
>
>
>



More information about the sudo-users mailing list