[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ubuntu sudoers won't talk to LDAP
- To: bluethundr <bluethundr@gmail.com>
- Subject: Re: ubuntu sudoers won't talk to LDAP
- From: "Mark J. Reed" <markjreed@gmail.com>
- Date: Fri, 19 Nov 2010 14:37:15 -0500
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=uu8lMT6ARcpGCBPOM7A6Sb1oI5W+TMU4vMBoWGYuw9k=; b=g91l4R3W1WPn5wWHAcN5vRDxBPsPuaKoFHd7mt5n7GvL+PlreYU2GItEAkS8Cio5OG 2gNG2PXd0hru9me1RV6mkOq6U3zmXHs8pFNGRDSZ1h7lmXAHbnm+dqkt5TE0VYjVXvNi CVKidH0wxvFpOBt4sECtpZmoDpLET6/V/Jsmw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=lW1r+bxIrvI9CYP2TQ+mwwIH6/E9MirCNnGRyAfvDTxGauoMzJcZhEhiUK4XMT4X4p HydHO7w9avtMMJIFR8WTI3Nwwg8PBjvjuFuGvqX3oDtY659xPWTQFIiSIAvLePsbe0ZR p1BhJm7BpPP6DGcyxsC42FKSH4YSx4aXN0yHM=
- In-reply-to: <AANLkTin+a3YmiOqCYzUDmPLpb2=vDpSNw4+pFMxk-DOL@mail.gmail.com>
- References: <AANLkTin+a3YmiOqCYzUDmPLpb2=vDpSNw4+pFMxk-DOL@mail.gmail.com>
The default version of sudo that comes with Ubuntu is compiled without
LDAP support. If you want the ldap-enabled version, install the
'sudo-ldap' package.
On Fri, Nov 19, 2010 at 2:23 PM, bluethundr <bluethundr@gmail.com> wrote:
> Hello Ubuntu
>
> On our network we have our sudoers stored in LDAP. This works fine on
> the CentOS 5.4 clients by placing into /etc/ldap.conf
>
>
> sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
>
>
> and in /etc/nsswitch.conf we have the entry:
>
>
> sudoers: ldap
>
>
> (setting this setting to just 'ldap' instead of 'files ldap' does not
> render the machine unbootable as happens if you set passwd and group
> this way).
>
> However I am attempting to set this up on an Ubuntu 9.10 client and
> getting no joy so far. I have the same settings in /etc/ldap.conf and
> /etc/nsswitch.conf and cannot get sudoers to work.
>
> On the Ubuntu box, I can get LDAP entries by typing in getent passwd |
> grep ldapAccount, however when you attempt to sudo it fails:
>
>
> bluethundr@ubuntu3:~$ sudo bash
>>>> /etc/sudoers: syntax error near line 0 <<<
> sudo: parse error in /etc/sudoers near line 0
> sudo: no valid sudoers sources found, quitting
>
>
> We leave our sudoers file blank intentionally in order to manage this
> via LDAP. Again, this problem is ONLY happening under Ubuntu and not
> under Centos 5.4.
>
> The only real difference that I see between the two clients is the
> sudo version. Could it be that under ubuntu LDAP sudo support isn't
> compiled in? if so how to recompile it so that it does?
>
> CentOS 5.4 sudo version:
>
> [root@ldap2 ~]# sudo -V
> Sudo version 1.7.2p1
>
>
> Ubuntu 9.10 sudo version:
>
>
> root@ubuntu3:~# sudo -V
> Sudo version 1.7.0
>
>
>
>
> [root@ldap2 ~]# sudo -V
> Sudo version 1.7.2p1
>
>
> And here are the linkages:
>
> CentOS 5.4:
>
>
> [root@ldap2 ~]# ldd $(which sudo)
> libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaaacc8000)
> libcap.so.1 => /lib64/libcap.so.1 (0x00002aaaaaee0000)
> libpam.so.0 => /lib64/libpam.so.0 (0x00002aaaab0e4000)
> libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab2f0000)
> libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002aaaab4f4000)
> libc.so.6 => /lib64/libc.so.6 (0x00002aaaab72e000)
> libaudit.so.0 => /lib64/libaudit.so.0 (0x00002aaaaba86000)
> liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002aaaabc9e000)
> libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaabeac000)
> /lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)
> libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac0f3000)
> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002aaaac308000)
> libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaac521000)
> libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaac76e000)
> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaaacabf000)
> libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaaccf7000)
> libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaacf26000)
> libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaad1bb000)
> libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaad3bd000)
> libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaaad5e3000)
> libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaad7f7000)
> libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaad9ff000)
>
>
>
> Ubuntu 9.10
>
> bluethundr@ubuntu3:~$ ldd $(which sudo)
> linux-gate.so.1 => (0x00914000)
> libpam.so.0 => /lib/libpam.so.0 (0x00753000)
> libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00223000)
> libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00fa1000)
> libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x004f1000)
> liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00f35000)
> /lib/ld-linux.so.2 (0x00d75000)
> libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x00345000)
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x008d0000)
> libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00b77000)
> libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x002e3000)
> libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x001df000)
> libz.so.1 => /lib/libz.so.1 (0x007d6000)
> libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x003f3000)
> libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)
>
>
>
> Thanks for any input you may have!
>
> --
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
>
> Share and enjoy!!
>
--
Mark J. Reed <markjreed@gmail.com>