[sudo-users] sudo-ldap and precedence
Mark Janssen
maniac.nl at gmail.com
Mon Apr 26 11:49:47 EDT 2010
On Mon, Apr 26, 2010 at 4:35 PM, Andreas Heinlein <aheinlein at gmx.com> wrote:
> Hello,
>
> I have a problem configuring sudo-ldap under Ubuntu 9.10/10.04.
>
> We have
> a) the usual setup ($admin ALL=(ALL) ALL), where admins can execute any
> command, but have to enter their password
> b) some commands that everyone in the users group can execute *without*
> a password. At the moment, this works for "normal" users but not for
> users which are also in the admin group, these stille have to enter
> their passwordv (%users ALL NOPASSWD:/usr/bin/...).
>
> As I understand, order of entries should not matter since there is no
> guarantee that LDAP entries are returned in any particular order. But in
> this case it seems to matter because the first entry for the admin group
> seems to be the effective one, instead of the second one (the closer
> match). Is this intended behaviour? Is there any way to change this?
Can you post an LDIF of these rules.
Do you have an 'sudoOption: !authenticate' on your NOPASSWD rule
What do your 'defaults' say
--
Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. |
Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : |
Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- |
More information about the sudo-users
mailing list