[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: I can't get root level access rights(sudo) from ldap
On Saturday, 13 March 2010 11:28:08 Zengming Zhang wrote:
> Hi everyone:
>
> Please help me, I can't get root level access rights(sudo) from
> ldap.When I try to use sudo command, there is an error report:
> "user is not in the sudoers file. This incident will be reported."
>
> I am going to build a cluster systems, there is a file server and some
> client computers. The operating system of file server is Redhat
> Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition.
> When users login on a client, the client will get user
> authorization info from server and mount its HOME folder automatically.
>
> I installed openldap server(openldap-2.3.43-3.el5) on file-server, and
> use libnss-ldapd, libpam-ldap, auth-client-config
> ldap-auth-client and ldap-auth-config packages to change client's user
> authorization methods.
>
> But the problem is I do can get user authorization info from the ldap
> server, but I can't get root level access rights from ldap server as
> followed the steps here:
> http://www.gratisoft.us/sudo/man/sudoers.ldap.html.
>
> ##################
> My server configurations are:
>
> [1]/etc/openldap/slapd.conf:
> ------------------------------
> The sudoers.schema has been included and indexed:
> include /etc/openldap/schema/sudoers.schema
> index sudoUser eq
>
> [2]/etc/ldap.conf:
> ------------------------------
> sudoers_base has been set:
> sudoers_base ou=SUDOers,dc=file-server
>
> [3]Some contents in ldap database:
> ------------------------------
> # SUDOers, file-server
> dn: ou=SUDOers,dc=file-server
> ou: SUDOers
> objectClass: top
> objectClass: organizationalUnit
>
> # %sysadmins, SUDOers, file-server
> dn: cn=%sysadmins,ou=SUDOers,dc=file-server
> objectClass: top
> objectClass: sudoRole
> cn: %sysadmins
> sudoUser: %sysadmins
> sudoHost: ALL
> sudoCommand: ALL
>
> (sysadmins is a group name that I created in my ldap server, what I want
> is user in this group can get root level access rights.)
> ##################
>
> ##################
> My client configurations are:
>
> [1]sudo-ldap:
> ------------------------------
> A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been
> installed.
>
> [2]/etc/ldap.conf:
> ------------------------------
> sudoers_base has been set:
> sudoers_base ou=SUDOers,dc=file-server
>
> [3]/etc/nsswitch.conf
> ------------------------------
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> # pre_auth-client-config # passwd: compat
> passwd: files ldap
> # pre_auth-client-config # group: compat
> group: files ldap
> # pre_auth-client-config # shadow: compat
> shadow: files ldap
>
> # added by zengming, for sudo issue.
> sudoers: ldap files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> # pre_auth-client-config # netgroup: nis
> netgroup: nis
>
> [4]I do can see that the user is in the sysadmins group as authorized
> from ldap server:
> jingna@zzm-desktop:~$ id
> uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins)
> ##################
>
> So, any ideas of you? Please let me know, thanks very much in advance!
Did you confirm that when you run 'sudo -l' or similar, sudo is actually doing
an LDAP search?
Did you enable debugging in the sudo LDAP support, by e.g. adding:
sudoers_debug 2
to /etc/ldap.conf ?
Can you provide 'sudo -l' output?
Regards,
Buchan