[sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD
Dimidis, Nick
nick.dimidis at hp.com
Thu Sep 15 02:16:05 EDT 2011
Hi Todd,
Thank you once again.
Problem fixed.
Although user authentication for login was established and working well as per details defined via ldapclient in /var/ldap/;dap_client_file, there was no /etc/ldap.conf on the server
I established
# cat /etc/ldap.conf
host aubwdrcuhp1.rcuad2.pci.edssdn.net
uri ldap://aubwdrcuhp1.rcuad2.pci.edssdn.net
binddn CN=RCUAD Proxy Agent,OU=Service Accounts,OU=Leveraged,DC=rcuad2,DC=pci,DC=edssdn,DC=net
bindpw xxxxxxxxx
base dc=rcuad2,dc=pci,dc=edssdn,dc=net
sudoers_base ou=sudoers,dc=rcuad2,dc=pci,dc=edssdn,dc=net
tls_cert /var/ldap
tls_keky /var/ldap
sudoers_debug 1
and it all worked well as you can see below
$ hostname
syd0488-z6
$ id
uid=488(rz1lr2) gid=500(edsunix)
$ /opt/GMOsudo/bin/sudo su - oracle
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=rz1lr2)(sudoUser=%edsunix)(sudoUser=ALL))'
sudo: found:CN=/bin/su - oracle,OU=syd0753,OU=sudoers,DC=rcuad2,DC=pci,DC=edssdn,DC=net
sudo: found:CN=/bin/su - ebx oracle,OU=syd0753,OU=sudoers,DC=rcuad2,DC=pci,DC=edssdn,DC=net
sudo: found:CN=/bin/su - oracle,OU=syd0488-z6,OU=sudoers,DC=rcuad2,DC=pci,DC=edssdn,DC=net
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
Password:
|-------------------------------------------------------------------|
| Use of this network is restricted to authorized users only. User |
| activity may be monitored and/or recorded. Anyone using this |
| network expressly consents to such monitoring and/or recording. |
| BE ADVISED: if possible criminal activity is detected, these |
| records, along with certain personal information, may be provided |
| to law enforcement officials. |
|-------------------------------------------------------------------|
$ id
uid=5000(oracle) gid=27001(dba)
Once again, thank you for help
Nick Dimidis
Technical Consultant / Integration Engineering / HP Enterprise Services
Telephone +61 3 88047239 Mobile +61 402892926
Email nick.dimidis at hp.com
-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: Wednesday, 14 September 2011 10:16 PM
To: Dimidis, Nick
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD
The "sudoers_debug 2" line needs to be in ldap.conf, not
/var/ldap/ldap_client_file which uses a different format.
You can find the path to ldap.conf that was compiled into
your sudo binary by running:
sudo -V | grep ldap.conf
as root. E.g.
# sudo -V | grep ldap.conf
ldap.conf path: /etc/ldap.conf
- todd
More information about the sudo-users
mailing list