[sudo-users] Novell edirectory ldap Solaris10 and sudo

Tue Mar 25 19:15:27 EDT 2008

Hi,

I would like to store the sudoers file in ldap edirectory.

I can authenticate fine against ldap, but sudo does not work: 07hxl2 is not in the sudoers file.  This incident will be reported.

1) sudo is compiled with pam :

# ldd /opt/IROS/bin/sudo
        libpam.so.1 =>   /lib/libpam.so.1
        libdl.so.1 =>    /lib/libdl.so.1
        libldap-2.4.so.2 =>      /opt/IROS/lib/libldap-2.4.so.2
        liblber-2.4.so.2 =>      /opt/IROS/lib/liblber-2.4.so.2
        libsocket.so.1 =>        /lib/libsocket.so.1
        libnsl.so.1 =>   /lib/libnsl.so.1
        libc.so.1 =>     /lib/libc.so.1
        libcmd.so.1 =>   /lib/libcmd.so.1
        libresolv.so.2 =>        /lib/libresolv.so.2
        libssl.so.0.9.8 =>       /opt/IROS/lib/libssl.so.0.9.8
        libcrypto.so.0.9.8 =>    /opt/IROS/lib/libcrypto.so.0.9.8
        libgcc_s.so.1 =>         /opt/IROS/lib/libgcc_s.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd5.so.1 =>   /lib/libmd5.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libm.so.2 =>     /lib/libm.so.2
        /platform/SUNW,Sun-Blade-100/lib/libc_psr.so.1
        /platform/SUNW,Sun-Blade-100/lib/libmd5_psr.so.1

2)solaris10$ldaplist sudoers 
dn: cn=defaults,ou=SUDOers,ou=people,ou=users,o=IRD
dn: cn=root,ou=SUDOers,ou=people,ou=users,o=IRD
dn: cn=herve,ou=SUDOers,ou=people,ou=users,o=IRD
dn: cn=07hxl2,ou=SUDOers,ou=people,ou=users,o=IRD

3) an ldapsearch command gives that:

# 07hxl2, SUDOers, people, users, IRD
dn: cn=07hxl2,ou=SUDOers,ou=people,ou=users,o=IRD
sudoOption: !authenticate
sudoRunAs: ALL
sudoCommand: ALL
sudoHost: ALL
sudoUser: 07hxl2
objectClass: Top
objectClass: sudoRole
cn: 07hxl2

# defaults, SUDOers, people, users, IRD
dn: cn=defaults,ou=SUDOers,ou=people,ou=users,o=IRD
sudoOption: passwd_timeout=0, !lecture, timestamp_timeout=120,ignore_local_sud
 oers
objectClass: Top
objectClass: sudoRole
description: Default sudoOption's go here
cn: defaults

# herve, SUDOers, people, users, IRD
dn: cn=herve,ou=SUDOers,ou=people,ou=users,o=IRD
sudoRunAs: ALL
sudoCommand: ALL
sudoHost: ALL
sudoUser: herve
objectClass: Top
objectClass: sudoRole
cn: herve

# root, SUDOers, people, users, IRD
dn: cn=root,ou=SUDOers,ou=people,ou=users,o=IRD
sudoRunAs: ALL
sudoCommand: ALL
sudoHost: ALL
sudoUser: root
objectClass: Top
objectClass: sudoRole
cn: root

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

4)# less /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 10.40.101.237
NS_LDAP_SEARCH_BASEDN= ou=users,o=IRD
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= shadow:
NS_LDAP_SERVICE_SEARCH_DESC= passwd:
NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,ou=people,ou=users,o=IRD

looks like it does not read the ldap sudoers objects. What am I missing? appreciate help.

Thanks, Herve.

 Créez votre adresse électronique prénom.nom at laposte.net 
 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.