Forum ‹‹ Linux Mail Server Setup and Howto Guide

Creating sudoers access

Page: 1

Reply to Post

Add a New Topic

User

Post

6:50 am
November 25, 2009

doughairfield

Member

posts 9

Quote and Reply

Print this Post

I'm stuck on getting sudoers access to work on the directory server. So far, I have done the following via the GUI:

Created a new ou called SUDOers under my main base dn

Under SUDOers OU, I created a new object sudorole via new–>other

Next I added 2 attributes to it, sudocommand, sudouser

on the client machine I put the following in /etc/ldap.conf:

sudoers_base ou=SUDOers,dc=bronto,dc=com

unfortunately, it doesn't seem to allow me to sudo anything. I turned on debug and got this output.

LDAP Config Summary

===================

uri ldap://eng1.bronto.com/

ldap_version 3

sudoers_base ou=SUDOers,dc=bronto,dc=com

binddn (anonymous)

bindpw (anonymous)

bind_timelimit 120000

timelimit 120

ssl start_tls

tls_cacertdir /etc/openldap/cacerts

===================

sudo: ldap_initialize(ld, ldap://eng1.bronto.com/)

sudo: ldap_set_option: debug -> 0

sudo: ldap_set_option: ldap_version -> 3

sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts

sudo: ldap_set_option: timelimit -> 120

sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)

sudo: ldap_start_tls_s() ok

sudo: ldap_simple_bind_s() ok

sudo: no default options found!

sudo: ldap search '(|(sudoUser=doug)(sudoUser=%users)(sudoUser=ALL))'

sudo: ldap search 'sudoUser=+*'

sudo: user_matches=0

sudo: host_matches=0

sudo: sudo_ldap_check(0)=0x44

8:02 am
November 25, 2009

consultant

Admin

posts 341

Quote and Reply

Print this Post

Please see Linux LDAP authentication. Basically, you need to

Make sure your users and groups in LDAP are properly configured
The sudo in RHEL/CentOS 5 does not work with non-local accounts like LDAP accounts. Install the sudo in Fedora 8 instead.

3:02 pm
November 30, 2009

doughairfield

Member

posts 9

Quote and Reply

Print this Post

Thanks, that was the problem.

5:10 pm
December 8, 2009

doughairfield

Member

posts 9

Quote and Reply

Print this Post

So I went a little further and implemented the Netgroup access control in /etc/security/access.netgroup.conf to require nisnetgroup triples and deny everyone else

+ : @prodengineering@@Servers : 172.19.0.0/255.255.0.0

- : ALL : ALL

via the netgroup howto on http://directory.fedoraproject…..:Netgroups

unfortunately this now breaks my ability to run sudo with this error message in /etc/log/secure:

sudo: pam_unix(sudo:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/4 ruser= rhost= user=foo

sudo: pam_access(sudo:account): access denied for user `foo' from `pts/4'

I know that my SUDOers access is working via my debug output but I can't for the life or google figure out what I need to do to pam to get this working.

5:26 am
December 19, 2009

consultant

Admin

posts 341

Quote and Reply

Print this Post

When specifiying the nisnetgroup triple, do not include the domain name as described in the Fedora site.

Ex.

(,user1,)
(machine1,,)

See http://www.sunhelp.org/faq/nis…..html#nis22

4:34 pm
January 18, 2010

doughairfield

Member

posts 9

Quote and Reply

Print this Post

consultant said:

Please see Linux LDAP authentication. Basically, you need to

Make sure your users and groups in LDAP are properly configured

The sudo in RHEL/CentOS 5 does not work with non-local accounts like LDAP accounts. Install the sudo in Fedora 8 instead.

Do you know if this is also the case for RHEL/CentOS4? I've tried to get sudo working in the same manner as CentOS5 and it's not lookup up against my LDAP entries. Is there a similar workaround?

Page: 1

Reply to Post

	Current User: Guest	Login Register
	Please consider registering