[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I can't get root level access rights(sudo) from ldap



On Saturday, 13 March 2010 11:28:08 Zengming Zhang wrote:
> Hi everyone:
> 
> 	Please help me, I can't get root level access rights(sudo) from
> ldap.When I try to use sudo command, there is an error report:
> 	"user is not in the sudoers file.  This incident will be reported."
> 
> 	I am going to build a cluster systems, there is a file server and some
> client computers. The operating system of file server is Redhat
> Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition.
>         When users login on a client, the client will get user
> authorization info from server and mount its HOME folder automatically.
> 
> 	I installed openldap server(openldap-2.3.43-3.el5) on file-server, and
> use libnss-ldapd, libpam-ldap, auth-client-config
> ldap-auth-client and ldap-auth-config packages to change client's user
> authorization methods.
> 
> 	But the problem is I do can get user authorization info from the ldap
> server, but I can't get root level access rights from ldap server as
> followed the steps here:
> http://www.gratisoft.us/sudo/man/sudoers.ldap.html.
> 
> ##################
> My server configurations are:
> 
> [1]/etc/openldap/slapd.conf:
> ------------------------------
> The sudoers.schema has been included and indexed:
> include         /etc/openldap/schema/sudoers.schema
> index sudoUser                          eq
> 
> [2]/etc/ldap.conf:
> ------------------------------
> sudoers_base has been set:
> sudoers_base ou=SUDOers,dc=file-server
> 
> [3]Some contents in ldap database:
> ------------------------------
> # SUDOers, file-server
> dn: ou=SUDOers,dc=file-server
> ou: SUDOers
> objectClass: top
> objectClass: organizationalUnit
> 
> # %sysadmins, SUDOers, file-server
> dn: cn=%sysadmins,ou=SUDOers,dc=file-server
> objectClass: top
> objectClass: sudoRole
> cn: %sysadmins
> sudoUser: %sysadmins
> sudoHost: ALL
> sudoCommand: ALL
> 
> (sysadmins is a group name that I created in my ldap server, what I want
> is user in this group can get root level access rights.)
> ##################
> 
> ##################
> My client configurations are:
> 
> [1]sudo-ldap:
> ------------------------------
> A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2  has been
> installed.
> 
> [2]/etc/ldap.conf:
> ------------------------------
> sudoers_base has been set:
> sudoers_base ou=SUDOers,dc=file-server
> 
> [3]/etc/nsswitch.conf
> ------------------------------
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> # pre_auth-client-config # passwd:         compat
> passwd: files ldap
> # pre_auth-client-config # group:          compat
> group: files ldap
> # pre_auth-client-config # shadow:         compat
> shadow: files ldap
> 
> # added by zengming, for sudo issue.
> sudoers: ldap files
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> # pre_auth-client-config # netgroup:       nis
> netgroup: nis
> 
> [4]I do can see that the user is in the sysadmins group as authorized
> from ldap server:
> jingna@zzm-desktop:~$ id
> uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins)
> ##################
> 
> So, any ideas of you? Please let me know, thanks very much in advance!

Did you confirm that when you run 'sudo -l' or similar, sudo is actually doing 
an LDAP search?

Did you enable debugging in the sudo LDAP support, by e.g. adding:

sudoers_debug 2

to /etc/ldap.conf ?


Can you provide 'sudo -l' output?

Regards,
Buchan