[sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD

Dimidis, Nick nick.dimidis at hp.com
Wed Sep 14 03:44:18 EDT 2011

Hi Todd, 

Thank you for your prompt reply. 
The server in concern with the sudo problem I'm experiencing is Solaris 10 zone. The ldap configuration file is 
# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_SERVERS= aubwdrcuhp1.rcuad2.pci.edssdn.net
NS_LDAP_SEARCH_BASEDN= dc=rcuad2,dc=pci,dc=edssdn,dc=net
NS_LDAP_AUTH= simple
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,dc=rcuad2,dc=pci,dc=edssdn,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=rcuad2,dc=pci,dc=edssdn,dc=net?sub?uidNumber=*
NS_LDAP_SERVICE_SEARCH_DESC= shadow:dc=rcuad2,dc=pci,dc=edssdn,dc=net?sub
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,dc=rcuad2,dc=pci,dc=edssdn,dc=net
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
sudoers_debug 2

I edited the above, added the debug information and restarted the ldap client 
svcadm disable ldap/client
svcadm enable ldap/client
However the ldap client service stayed in maintenance mode
# svcs -a | grep ldap
maintenance    17:43:36 svc:/network/ldap/client:default

I had a look in dmesg and found that it complained (see below) with 
Missing Name or Value on line 27. Line 27 contained "sudoers_debug 2"

Sep 14 17:16:25 syd0488-z6 ldap_cachemgr[27399]: [ID 293258 daemon.error] libsldap: Status: 0  Mesg:
Missing Name or Value on line 27.
Sep 14 17:16:25 syd0488-z6 ldap_cachemgr[27398]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc =
Sep 14 17:16:25 syd0488-z6 svc.startd[28967]: [ID 652011 daemon.warning] svc:/network/ldap/client:def
ault: Method "/lib/svc/method/ldap-client start" failed with exit status 1.
Sep 14 17:16:25 syd0488-z6 ldap_cachemgr[27401]: [ID 293258 daemon.error] libsldap: Status: 0  Mesg:
Missing Name or Value on line 27.

Would you know if there is another way to activate debugging

Thank you of your assistance and your time 


Nick Dimidis 
Technical Consultant / Integration Engineering / HP Enterprise Services 
Telephone +61 3 88047239 Mobile +61 402892926 
Email nick.dimidis at hp.com 

-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: Tuesday, 13 September 2011 10:56 PM
To: Dimidis, Nick
Cc: sudo-users at sudo.ws; Stenger, Marcel; Kay, Martin
Subject: Re: [sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD

Try adding the following to /etc/ldap.conf (or whatever ldap config
file your version of sudo was built to use).

sudoers_debug 2

Then, when you run sudo you will see a large amount of debugging
info related to sudo's use of LDAP which may help you track down
the problem.

 - todd

More information about the sudo-users mailing list