[sudo-users] sudo + openldap + freebsd 7

François Mehault Francois.Mehault at netplus.fr
Tue May 26 06:04:51 EDT 2009

Hi all,

I try to configure sudo with my onpenldap on FreeBSD 7.0 and I meet some difficulties. I read the document on the website about LDAP (Sudoers LDAP Manual and README for LDAP).  My problem is simple : it don't works. On freeBSD I installed sudo with make config (with selecting support ldap) make and make install. I copy schema.openLDAP in /usr/local/etc/openldap/schema/sudo.schema and I include it in slapd.conf (and I restarted slapd daemon). I add « sudoers : ldap » in /etc/nsswitch.conf. I give you an exctract of my ldap.conf (/usr/local/etc/ldap.conf):


base    dc=netplus,dc=fr
uri     ldap://x.x.x.x :389
ldap_version 3
rootbinddn              cn=root,dc=netplus,dc=fr # with ldap.secret
timelimit               3
bind_timelimit          3
bind_policy             soft
pam_login_attribute     uid
pam_check_host_attr     yes
#pam_check_service_attr         yes
pam_groupdn             cn=pf_labobe1,ou=Plate-Forme,dc=netplus,dc=fr
pam_member_attribute    uniqueMember
sudoers_base            ou=SUDOers,dc=netplus,dc=fr
sudoers_debug           2

My problem :

<11:57>[labobe1:~]$ sudo visudo
LDAP Config Summary
uri          ldap://x.x.x.x:389
ldap_version 3
sudoers_base ou=SUDOers,dc=netplus,dc=fr
binddn       (anonymous)
bindpw       (anonymous)
bind_timelimit  3000
timelimit    3
ssl          (no)
sudo: ldap_initialize(ld, ldap://
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 3
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3)

sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=sudoers,dc=netplus,dc=fr
sudo: ldap sudoOption: 'logfile=/var/log/sudolog'
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap search '(|(sudoUser=fmehault)(sudoUser=%administrateur)(sudoUser=%stagiaire)(sudoUser=ALL))'
sudo: found:cn=roleAdmin,ou=SUDOers,dc=netplus,dc=fr
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: ldap sudoRunAs 'ALL' ... MATCH!
sudo: Perfect Matched!
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(0)=0x402
You can't come in. Our tiger has got flu
... and it used to be so popular...
Hold it up to the light --- not a brain in sight!
sudo: 3 incorrect password attempts
<11:57>[labobe1:~]$ whoami

On my openldap :

dn: ou=SUDOers,dc=netplus,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: SUDOers

dn: cn=defaults,ou=sudoers,dc=netplus,dc=fr
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: logfile=/var/log/sudolog
sudoOption: env_keep+=SSH_AUTH_SOCK

dn: cn=roleAdmin,ou=SUDOers,dc=netplus,dc=fr

objectClass: sudoRole

objectClass: top

sudoHost: ALL

cn: roleAdmin

sudoCommand: ALL

sudoRunAs: ALL

sudoUser: fmehault

dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr

givenName:: RnJhbsOnb2lz


uid: fmehault

cn: Francois MEHAULT

uidNumber: 1203

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: hostObject

objectClass: authorizedServiceObject

host: *

userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==

homeDirectory: /home/fmehault

loginShell: /usr/local/bin/zsh

gidNumber: 1203

authorizedService: sshd

authorizedService: sudo

I did excatly the same thing on a fedora 10 and it works perfectly, If someone can help me ?




More information about the sudo-users mailing list