[sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD

Dimidis, Nick nick.dimidis at hp.com
Wed Sep 14 03:44:18 EDT 2011 

Hi Todd, 

Thank you for your prompt reply. 
The server in concern with the sudo problem I'm experiencing is Solaris 10 zone. The ldap configuration file is 
# cat /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= aubwdrcuhp1.rcuad2.pci.edssdn.net
NS_LDAP_SEARCH_BASEDN= dc=rcuad2,dc=pci,dc=edssdn,dc=net
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,dc=rcuad2,dc=pci,dc=edssdn,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=rcuad2,dc=pci,dc=edssdn,dc=net?sub?uidNumber=*
NS_LDAP_SERVICE_SEARCH_DESC= shadow:dc=rcuad2,dc=pci,dc=edssdn,dc=net?sub
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,dc=rcuad2,dc=pci,dc=edssdn,dc=net
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
sudoers_debug 2

I edited the above, added the debug information and restarted the ldap client 
svcadm disable ldap/client
svcadm enable ldap/client
However the ldap client service stayed in maintenance mode
# svcs -a | grep ldap
maintenance    17:43:36 svc:/network/ldap/client:default

I had a look in dmesg and found that it complained (see below) with 
Missing Name or Value on line 27. Line 27 contained "sudoers_debug 2"



Sep 14 17:16:25 syd0488-z6 ldap_cachemgr[27399]: [ID 293258 daemon.error] libsldap: Status: 0  Mesg:
Missing Name or Value on line 27.
Sep 14 17:16:25 syd0488-z6 ldap_cachemgr[27398]: [ID 703877 daemon.error] ldap_cachemgr: failed (rc =
 255).
Sep 14 17:16:25 syd0488-z6 svc.startd[28967]: [ID 652011 daemon.warning] svc:/network/ldap/client:def
ault: Method "/lib/svc/method/ldap-client start" failed with exit status 1.
Sep 14 17:16:25 syd0488-z6 ldap_cachemgr[27401]: [ID 293258 daemon.error] libsldap: Status: 0  Mesg:
Missing Name or Value on line 27.

Would you know if there is another way to activate debugging

Thank you of your assistance and your time 

Regards, 

Nick Dimidis 
Technical Consultant / Integration Engineering / HP Enterprise Services 
Telephone +61 3 88047239 Mobile +61 402892926 
Email nick.dimidis at hp.com 


-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: Tuesday, 13 September 2011 10:56 PM
To: Dimidis, Nick
Cc: sudo-users at sudo.ws; Stenger, Marcel; Kay, Martin
Subject: Re: [sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD

Try adding the following to /etc/ldap.conf (or whatever ldap config
file your version of sudo was built to use).

sudoers_debug 2

Then, when you run sudo you will see a large amount of debugging
info related to sudo's use of LDAP which may help you track down
the problem.

 - todd

More information about the sudo-users mailing list