[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
pam services under LDAP
- To: openldap-technical@openldap.org
- Subject: pam services under LDAP
- From: bluethundr <bluethundr@gmail.com>
- Date: Mon, 8 Nov 2010 16:16:51 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=bpfn3YgkP91lkqlbH5cP0VX4QCs2tYZif6Sp0bglT2M=; b=wifQvOyMi8qKF7it9j+Wo3V/H/obV6yW4MUUIh19Cbtj3HuPqFz8pRWZCXu/0bCf3W meQoxAohZ5twKhO14WRSdbAHqzUriiVRRqqS8LWkfMDhwHeZr0or5opxiNLEDheWvXwq y1kNE/D1auQKcNFnHLvVYIbUTMvwNSsWrSMPg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=lzWh3esjhQqtRboiolWqmI2f0TRKVJMoNMU39BV6sVZEndZ8tktqLg6Qu46mg29lyx p2u7gvte7aZoZqDw4Jy/9BLKa4fbtbrGqcWKCb3rdR5nomTypl1G2is5lkAj+cZ4iCor +0QGzxAy+Dd4AB8r2mm4QxO/3bw+CSXUQQrdk=
Hello List
I am attempting to setup various pam modules to consult our new LDAP
services in order to do what it needs to do. My LDAP server is FreeBSD
but the clients are CentOS...
I have setup my /etc/pam.d sudo file on the client (for example) this
way in the attempt to accomplish this via LDAP:
[root@VIRCENT03:~]#cat /etc/pam.d/sudo
#%PAM-1.0
auth include system-auth
auth required pam_ldap.so
account include system-auth
account required pam_ldap.so
password include system-auth
password required pam_ldap.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_ldap.so
but even tho the user is part of the %wheel group under LDAP it is
unable to sudo to any other account (including root). If I try to sudo
this is what happens:
[bluethundr@VIRCENT03:~]#sudo bash
[sudo] password for bluethundr:
bluethundr is not in the sudoers file. This incident will be reported.
It would appear that sudo support for ldap is compiled in:
[root@VIRCENT03:~]#ldd $(which sudo)| grep -i ldap
libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00552000)
This is how I setup my ldap.conf file
[root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://ldap.acadaca.net/
BASE dc=acadaca,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
In my openldap logs on the LDAP server there appears to be no activity
when I sudo. however in the secure logs on the client I do..
Nov 8 16:05:34 VIRCENT03 su: pam_unix(su-l:session): session opened
for user root by bluethundr(uid=500)
Nov 8 16:05:37 VIRCENT03 su: pam_unix(su-l:session): session opened
for user bluethundr by bluethundr(uid=0)
Nov 8 16:05:44 VIRCENT03 sudo: bluethundr : user NOT in sudoers ;
TTY=pts/5 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash
Conversely when I sudo via LDAP on my FreeBSD ldap server this is what I see...
Nov 8 19:44:25 LBSD2 sudo: bluethundr : TTY=pts/11 ;
PWD=/usr/home/bluethundr ; USER=root ; COMMAND=/bin/bash
Nov 8 19:44:51 LBSD2 sudo: bluethundr : TTY=pts/10 ;
PWD=/usr/home/bluethundr ; USER=root ; COMMAND=/bin/bash
Works there!
I do see other events in secure.log that appear to be pam successes
however. am i interpreting this correctly that at least part of the
system is communicating with pam on the ldap server?
thanks
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!