[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
I can't get root level access rights(sudo) from ldap
- To: openldap-technical@openldap.org
- Subject: I can't get root level access rights(sudo) from ldap
- From: Zengming Zhang <nicegiving@gmail.com>
- Date: Sat, 13 Mar 2010 18:28:08 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:content-type :date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=4gY7t+KVwwArKgGi2rF16MoWOM7hSNUu1tB9WLu4oB8=; b=rs8szcr0ReefhNsRBO9rSRXgdbsvUm6iEDlpnq+StQkIkYKlmD7eSjh1I0MVriJmhE IFpi4zr2mjhATv9OjQt/qSmNS2KLWZcSgKvJCsGYDZ6MuFNg7AKLnfaSJn2YUFzX3ZbT DjEtqmSI3kYBwfTrQkv5OMoUkpYl2Z2lYlIxc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; b=Cm2EAMzEP2zb8zh2RFztfx11vyvrdSQTWiHVhqinxikwm56gqSvW//lhxeXBlXKEYu j0eF9rbU87q0/Ibd7EE3lUUyPiN2lmPeIO3CD0q6TYrTt/6XX8Nc+2ImOn+9CxafQbSK B1GR661ivy33BLda614CpInXia03vroWNv8MQ=
Hi everyone:
Please help me, I can't get root level access rights(sudo) from
ldap.When I try to use sudo command, there is an error report:
"user is not in the sudoers file. This incident will be reported."
I am going to build a cluster systems, there is a file server and some
client computers. The operating system of file server is Redhat
Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition.
When users login on a client, the client will get user
authorization info from server and mount its HOME folder automatically.
I installed openldap server(openldap-2.3.43-3.el5) on file-server, and
use libnss-ldapd, libpam-ldap, auth-client-config
ldap-auth-client and ldap-auth-config packages to change client's user
authorization methods.
But the problem is I do can get user authorization info from the ldap
server, but I can't get root level access rights from ldap server as
followed the steps here:
http://www.gratisoft.us/sudo/man/sudoers.ldap.html.
##################
My server configurations are:
[1]/etc/openldap/slapd.conf:
------------------------------
The sudoers.schema has been included and indexed:
include /etc/openldap/schema/sudoers.schema
index sudoUser eq
[2]/etc/ldap.conf:
------------------------------
sudoers_base has been set:
sudoers_base ou=SUDOers,dc=file-server
[3]Some contents in ldap database:
------------------------------
# SUDOers, file-server
dn: ou=SUDOers,dc=file-server
ou: SUDOers
objectClass: top
objectClass: organizationalUnit
# %sysadmins, SUDOers, file-server
dn: cn=%sysadmins,ou=SUDOers,dc=file-server
objectClass: top
objectClass: sudoRole
cn: %sysadmins
sudoUser: %sysadmins
sudoHost: ALL
sudoCommand: ALL
(sysadmins is a group name that I created in my ldap server, what I want
is user in this group can get root level access rights.)
##################
##################
My client configurations are:
[1]sudo-ldap:
------------------------------
A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been
installed.
[2]/etc/ldap.conf:
------------------------------
sudoers_base has been set:
sudoers_base ou=SUDOers,dc=file-server
[3]/etc/nsswitch.conf
------------------------------
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat
passwd: files ldap
# pre_auth-client-config # group: compat
group: files ldap
# pre_auth-client-config # shadow: compat
shadow: files ldap
# added by zengming, for sudo issue.
sudoers: ldap files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# pre_auth-client-config # netgroup: nis
netgroup: nis
[4]I do can see that the user is in the sysadmins group as authorized
from ldap server:
jingna@zzm-desktop:~$ id
uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins)
##################
So, any ideas of you? Please let me know, thanks very much in advance!
Best wishes,
Zengming
--
Zengming Zhang <nicegiving@gmail.com>