On Sat, Mar 13, 2010 at 11:28, Zengming Zhang
<nicegiving@gmail.com> wrote:
Hi everyone:
Please help me, I can't get root level access rights(sudo) from
ldap.When I try to use sudo command, there is an error report:
"user is not in the sudoers file. This incident will be reported."
I am going to build a cluster systems, there is a file server and some
client computers. The operating system of file server is Redhat
Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition.
When users login on a client, the client will get user
authorization info from server and mount its HOME folder automatically.
I installed openldap server(openldap-2.3.43-3.el5) on file-server, and
use libnss-ldapd, libpam-ldap, auth-client-config
ldap-auth-client and ldap-auth-config packages to change client's user
authorization methods.
But the problem is I do can get user authorization info from the ldap
server, but I can't get root level access rights from ldap server as
followed the steps here:
http://www.gratisoft.us/sudo/man/sudoers.ldap.html.
##################
My server configurations are:
[1]/etc/openldap/slapd.conf:
------------------------------
The sudoers.schema has been included and indexed:
include /etc/openldap/schema/sudoers.schema
index sudoUser eq
[2]/etc/ldap.conf:
------------------------------
sudoers_base has been set:
sudoers_base ou=SUDOers,dc=file-server
[3]Some contents in ldap database:
------------------------------
# SUDOers, file-server
dn: ou=SUDOers,dc=file-server
ou: SUDOers
objectClass: top
objectClass: organizationalUnit
# %sysadmins, SUDOers, file-server
dn: cn=%sysadmins,ou=SUDOers,dc=file-server
objectClass: top
objectClass: sudoRole
cn: %sysadmins
sudoUser: %sysadmins
sudoHost: ALL
sudoCommand: ALL
(sysadmins is a group name that I created in my ldap server, what I want
is user in this group can get root level access rights.)
##################
##################
My client configurations are:
[1]sudo-ldap:
------------------------------
A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been
installed.
[2]/etc/ldap.conf:
------------------------------
sudoers_base has been set:
sudoers_base ou=SUDOers,dc=file-server
[3]/etc/nsswitch.conf
------------------------------
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat
passwd: files ldap
# pre_auth-client-config # group: compat
group: files ldap
# pre_auth-client-config # shadow: compat
shadow: files ldap
# added by zengming, for sudo issue.
sudoers: ldap files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# pre_auth-client-config # netgroup: nis
netgroup: nis
[4]I do can see that the user is in the sysadmins group as authorized
from ldap server:
jingna@zzm-desktop:~$ id
uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins)
##################
So, any ideas of you? Please let me know, thanks very much in advance!
Best wishes,
Zengming
--
Zengming Zhang <nicegiving@gmail.com>