[sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD

Dimidis, Nick nick.dimidis at hp.com
Thu Sep 15 02:16:05 EDT 2011

Hi Todd, 

Thank you once again. 

Problem fixed. 

Although user authentication for login was established and working well as per details defined via ldapclient in /var/ldap/;dap_client_file, there was no /etc/ldap.conf on the server

I established 
# cat /etc/ldap.conf
host aubwdrcuhp1.rcuad2.pci.edssdn.net
uri ldap://aubwdrcuhp1.rcuad2.pci.edssdn.net
binddn CN=RCUAD Proxy Agent,OU=Service Accounts,OU=Leveraged,DC=rcuad2,DC=pci,DC=edssdn,DC=net
bindpw xxxxxxxxx
base dc=rcuad2,dc=pci,dc=edssdn,dc=net
sudoers_base ou=sudoers,dc=rcuad2,dc=pci,dc=edssdn,dc=net
tls_cert /var/ldap
tls_keky /var/ldap
sudoers_debug 1

and it all worked well as you can see below 

$ hostname
$ id
uid=488(rz1lr2) gid=500(edsunix)

$ /opt/GMOsudo/bin/sudo su - oracle
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=rz1lr2)(sudoUser=%edsunix)(sudoUser=ALL))'
sudo: found:CN=/bin/su - oracle,OU=syd0753,OU=sudoers,DC=rcuad2,DC=pci,DC=edssdn,DC=net
sudo: found:CN=/bin/su - ebx oracle,OU=syd0753,OU=sudoers,DC=rcuad2,DC=pci,DC=edssdn,DC=net
sudo: found:CN=/bin/su - oracle,OU=syd0488-z6,OU=sudoers,DC=rcuad2,DC=pci,DC=edssdn,DC=net
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02

| Use of this network is restricted to authorized users only. User  |
| activity may be monitored and/or recorded. Anyone using this      |
| network expressly consents to such monitoring and/or recording.   |
| BE ADVISED: if possible criminal activity is detected, these      |
| records, along with certain personal information, may be provided |
| to law enforcement officials.                                     |

$ id
uid=5000(oracle) gid=27001(dba)

Once again, thank you for help

Nick Dimidis 
Technical Consultant / Integration Engineering / HP Enterprise Services 
Telephone +61 3 88047239 Mobile +61 402892926 
Email nick.dimidis at hp.com 

-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: Wednesday, 14 September 2011 10:16 PM
To: Dimidis, Nick
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Solaris 10 GMOsudo 1.7.0 integration with AD

The "sudoers_debug 2" line needs to be in ldap.conf, not
/var/ldap/ldap_client_file which uses a different format.

You can find the path to ldap.conf that was compiled into
your sudo binary by running:

    sudo -V | grep ldap.conf

as root.  E.g.

    # sudo -V | grep ldap.conf
    ldap.conf path: /etc/ldap.conf

 - todd

More information about the sudo-users mailing list