[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ubuntu sudoers won't talk to LDAP



The default version of sudo that comes with Ubuntu is compiled without
LDAP support.  If you want the ldap-enabled version, install the
'sudo-ldap' package.

On Fri, Nov 19, 2010 at 2:23 PM, bluethundr <bluethundr@gmail.com> wrote:
> Hello Ubuntu
>
> On our network we have our sudoers stored in LDAP. This works fine on
> the CentOS 5.4 clients by placing into /etc/ldap.conf
>
>
> sudoers_base ou=sudoers,ou=Services,dc=example,dc=net
>
>
> and in /etc/nsswitch.conf we have the entry:
>
>
> sudoers: ldap
>
>
> (setting this setting to just 'ldap' instead of 'files ldap' does not
> render the machine unbootable as happens if you set passwd and group
> this way).
>
> However I am attempting to set this up on an Ubuntu 9.10 client and
> getting no joy so far. I have the same settings in /etc/ldap.conf and
> /etc/nsswitch.conf and cannot get sudoers to work.
>
> On the Ubuntu box, I can get LDAP entries by typing in getent passwd |
> grep ldapAccount, however when you attempt to sudo it fails:
>
>
> bluethundr@ubuntu3:~$ sudo bash
>>>> /etc/sudoers: syntax error near line 0 <<<
> sudo: parse error in /etc/sudoers near line 0
> sudo: no valid sudoers sources found, quitting
>
>
> We leave our sudoers file blank intentionally in order to manage this
> via LDAP. Again, this problem is ONLY happening under Ubuntu and not
> under Centos 5.4.
>
> The only real difference that I see between the two clients is the
> sudo version. Could it be that under ubuntu LDAP sudo support isn't
> compiled in? if so how to recompile it so that it does?
>
> CentOS 5.4 sudo version:
>
> [root@ldap2 ~]# sudo -V
> Sudo version 1.7.2p1
>
>
> Ubuntu 9.10 sudo version:
>
>
> root@ubuntu3:~# sudo -V
> Sudo version 1.7.0
>
>
>
>
> [root@ldap2 ~]# sudo -V
> Sudo version 1.7.2p1
>
>
> And here are the linkages:
>
> CentOS 5.4:
>
>
> [root@ldap2 ~]# ldd $(which sudo)
>        libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaaacc8000)
>        libcap.so.1 => /lib64/libcap.so.1 (0x00002aaaaaee0000)
>        libpam.so.0 => /lib64/libpam.so.0 (0x00002aaaab0e4000)
>        libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab2f0000)
>        libldap-2.3.so.0 => /usr/lib64/libldap-2.3.so.0 (0x00002aaaab4f4000)
>        libc.so.6 => /lib64/libc.so.6 (0x00002aaaab72e000)
>        libaudit.so.0 => /lib64/libaudit.so.0 (0x00002aaaaba86000)
>        liblber-2.3.so.0 => /usr/lib64/liblber-2.3.so.0 (0x00002aaaabc9e000)
>        libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaabeac000)
>        /lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)
>        libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac0f3000)
>        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002aaaac308000)
>        libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaac521000)
>        libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaac76e000)
>        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aaaacabf000)
>        libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaaccf7000)
>        libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaacf26000)
>        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaad1bb000)
>        libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaad3bd000)
>        libz.so.1 => /usr/lib64/libz.so.1 (0x00002aaaad5e3000)
>        libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaad7f7000)
>        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaad9ff000)
>
>
>
> Ubuntu 9.10
>
> bluethundr@ubuntu3:~$ ldd $(which sudo)
>        linux-gate.so.1 =>  (0x00914000)
>        libpam.so.0 => /lib/libpam.so.0 (0x00753000)
>        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x00223000)
>        libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00fa1000)
>        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x004f1000)
>        liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00f35000)
>        /lib/ld-linux.so.2 (0x00d75000)
>        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0x00345000)
>        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x008d0000)
>        libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00b77000)
>        libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x002e3000)
>        libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x001df000)
>        libz.so.1 => /lib/libz.so.1 (0x007d6000)
>        libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x003f3000)
>        libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00110000)
>
>
>
> Thanks for any input you may have!
>
> --
> Here's my RSA Public key:
> gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
>
> Share and enjoy!!
>



-- 
Mark J. Reed <markjreed@gmail.com>