[sudo-users] LDAP issue.
techchavez at gmail.com
Wed May 13 19:29:11 EDT 2009
OK so the box is seeing LDAP now at least.
I renamed the directory that I installed sudo from source into.
I removed /etc/sudoers.ldap.
I installed the sudo-el5.rpm package.
I will most likely upgrade this box.
Please see answers to inquiries below.
>> Is there anything I need to do to get SUDO to work against an LDAP
>> server other than OpenLDAP using RHEL 5?
>> Do I possibly need to use the --with-ldap with a different directory or path?
>> I have built sudo with these configure options .
>> configure --prefix=/usr/local/sudo --with-ldap
> That should be OK. Do you have the openldap-devel and pam-devel
> rpms installed?
Yes I do have these installed.
>> However on RHEL 5 it does not.
>> I am getting a "sudo: no valid sudoers sources found, quitting"
> That sounds like either sudo did not actually get built with ldap
> support, sudo isn't finding the ldap config file, or the connection
> to the ldap server is failing. However, if the connection failed,
> you should receive an error like "unable to initialize LDAP" first.
This is finding my LDAP as a source now that I installed the el5-sudo rpm.
I added sudo_debug 2 and I am getting initialization and a successful
bind. Also searches for sudousers correctly.
>> This happens even though I have added "sudoers: ldap" to /etc/nsswitch.conf.
>> If I specify files only in nsswitch, then the I get a prompt and when
>> I enter the password it says.
>> Sorry try again 3 times immediately.
> Does it give you the chance to enter a password or does it just say
> "Sorry..." 3 times?
This is a strange one here..I get a single prompt and if I enter the
correct password it is fine.
If I enter the incorrect password it says sorry 3 times and fails.
However I have !authenticate in my defaults and I should not be
getting prompted in any case. The ldapinitialize lists the
defaults:!authenticate . So not sure what is going on there, PAM?
>> I understand this is most likely a PAM issue because I saw a reply to
>> a previous post saying that the way to fix this is to copy sample.pam
>> to /etc/pam.d/sudo. This however did not fix it.
> It may be simplest to just use the pam.d files that the RHEL5 sudo
> rpm comes with.
I agree. I now have the sudo files since I installed the rpm from
repo, may need to be tweaked.
>> I am less concerned with this than the LDAP not being recognized as a
>> valid source.
>> What I have done on the RHEL box...
>> added sudoers: ldap to nsswitch.conf
>> added the following to /etc/sudoers.ldap.
>> host hostname
>> sudoers_base ou=SUDOers,o=ORG
> Try adding:
> sudoers_debug 2
> and see if you get any useful debugging info.
> - todd
I will mention that I have some Fedora clients that are working
correctly for the most part.
They use only LDAP as a sudo source.
They are using the Fedora depot sudo rpm.
The pam-sudo files are the same as the RHEL box.
They correctly are denied or allowed access and are not prompted for
authentication as it should be.
However the only issue is this.
If the user is disallowed a command it gives the incorrect error message.
It says "user is not in the sudoers file" instead of saying "user is
not allowed to run sudo on this host" Is this something easily
More information about the sudo-users