[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam services under LDAP



On Monday, 8 November 2010 22:16:51 bluethundr wrote:
> Hello List
> 
> 
>  I am attempting to setup various pam modules to consult our new LDAP
> services in order to do what it needs to do. My LDAP server is FreeBSD
> but the clients are CentOS...
> 
>  I have setup my /etc/pam.d sudo

If you have already setup /etc/pam.d/system-auth for LDAP (e.g. with 
authconfig), you should not need to make changes to other pam service files.

However, it appears your problem isn't authentication:

> but even tho the user is part of the %wheel group under LDAP it is
> unable to sudo to any other account (including root). If I try to sudo
> this is what happens:
> 
> [bluethundr@VIRCENT03:~]#sudo bash
> [sudo] password for bluethundr:
> bluethundr is not in the sudoers file.  This incident will be reported.

So authentication works. PAM doesn't do anything further here ...

> It would appear that sudo support for ldap is compiled in:
> 
> [root@VIRCENT03:~]#ldd $(which sudo)| grep -i ldap
> 	libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00552000)

Well, now we are getting away from your $subject, which was asking about pam. 
This has *nothing* to do with PAM (applications wanting to authenticate via 
pam_ldap don't need to be linked to libldap).

> This is how I setup my ldap.conf file
> 
> [root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
[...]
> sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net

sudo+ldap looks for that in /etc/ldap.conf. Please don't mix /etc/ldap.conf 
and /etc/openldap/ldap.conf.

> In my openldap logs on the LDAP server there appears to be no activity
> when I sudo. however in the secure logs on the client I do..

[..]

> Works there!

These logs are irrelevant. More interesting would be the logs on the server-
side, to see if *any* searches are done. However, the 'sudo -l' output may be 
useful.

> I do see other events in secure.log that appear to be pam successes
> however. am i interpreting this correctly that at least part of the
> system is communicating with pam on the ldap server?

PAM seems to work, as your password is accepted. Nothing further relates to 
pam at all. Everything else relates *only* to sudo. Please read your 
/usr/share/doc/sudo-*/README.LDAP file. For example, the coverage of the 
'sudoers_debug' option may be interesting.

Regards,
Buchan