[sudo-users] LDAP issue.

Todd C. Miller Todd.Miller at courtesan.com
Wed May 13 15:17:48 EDT 2009

In message <dc3ecf560905130911j37778dbcu4319312d3ee23be at mail.gmail.com>
	so spake "J." (techchavez):

> Is there anything I need to do to get SUDO to work against an LDAP
> server other than OpenLDAP using RHEL 5?
> Do I possibly need to use the --with-ldap with a different directory or path?
> I have built sudo with these configure options .
> configure --prefix=/usr/local/sudo --with-ldap
> --with-ldap-conf-file=/etc/sudoers.ldap.

That should be OK.  Do you have the openldap-devel and pam-devel
rpms installed?

> However on RHEL 5 it does not.
> I am getting a "sudo: no valid sudoers sources found, quitting"

That sounds like either sudo did not actually get built with ldap
support, sudo isn't finding the ldap config file, or the connection
to the ldap server is failing.  However, if the connection failed,
you should receive an error like "unable to initialize LDAP" first.

> This happens even though I have added "sudoers: ldap" to /etc/nsswitch.conf.
> If I specify files only in nsswitch, then the I get a prompt and when
> I enter the password it says.
> Sorry try again 3 times immediately.

Does it give you the chance to enter a password or does it just say
"Sorry..." 3 times?

> I understand this is most likely a PAM issue because I saw a reply to
> a previous post saying that the way to fix this is to copy sample.pam
> to /etc/pam.d/sudo. This however did not fix it.

It may be simplest to just use the pam.d files that the RHEL5 sudo
rpm comes with.

> I am less concerned with this than the LDAP not being recognized as a
> valid source.
> What I have done on the RHEL box...
> added sudoers: ldap   to nsswitch.conf
> added the following to /etc/sudoers.ldap.
> host hostname
> sudoers_base ou=SUDOers,o=ORG

Try adding:
sudoers_debug 2

and see if you get any useful debugging info.

 - todd

More information about the sudo-users mailing list