Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: sudoers file with groups in LDAP
Operating Systems Solaris sudoers file with groups in LDAP Post 302258067 by em23 on Thursday 13th of November 2008 09:01:42 PM
Old 11-13-2008
sudoers file with groups in LDAP
Hello gurus,

I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The problem is that when a user tries to sudo to a user within their group(s) it errors out saying the user is not in the sudoers file. Also, when I do 'id -a username' it will show the uid, the gid and the group. Has anyone done this before, and if so, what am I missing?

Thanks,

==============================

nsswitch.conf
group: files nis ldap

sample of my sudoers file
##################
# User alias specification #
##################

User_Alias SYSADMIN=%sysadmin
User_Alias DBADMIN=%dba

##################
#Cmnd alias specification#
##################

#GID 14 SYSADMIN is for System Administrators who require ROOT access
# !!!NOTE - THIS GROUP GIVES ROOT ACCESS ON ALL SYSTEMS!!!!
Cmnd_Alias ROOTSHELLS =\
/bin/su -, \
/bin/sh, \
/bin/csh, \
/bin/bash, \
/usr/bin/bash, \
/bin/ksh


#GID 101 DBADMIN is used primarily for the DBA group
Cmnd_Alias DB_ADMIN=\
/bin/su - , \
/bin/sh , \
/bin/csh , \
/bin/su - oracle, \
/bin/kill ?*, \
/bin/rm -i ?*


#####################
# User privilege specification #
#####################

root ALL=(ALL) ALL
SYSADMIN ALL_SERVERS = NOPASSWD:ROOTSHELLS
DBADMIN ALL_SERVERS = DB_ADMIN
 

10 More Discussions You Might Find Interesting

1. Linux

sudoers file

Hi, I have edited 'sudoers' file to allow 'cads' user shutdown the system without providing a password. Can someone tell me what's wrong with my file? It's not working when I 'sudo SHUTDOWN' command: sudo: SHUTDOWN: command not found Thanks a lot! # Host alias specification... (4 Replies)
Discussion started by: whatisthis
4 Replies

2. Red Hat

LDAP auth, secondary groups doesnt works

RedHat ELS 5.2 & Sun directory getent passwd: works toto:*:1000:100:toto:/home/toto:/bin/bash getent group: works mygroup:*:10001:1000,1001 but id toto doesnt works :( uid=1000(toto) gid=100(users) groupes=100(users) BTW in /etc/ldap.conf i use a different mapping for the posix... (4 Replies)
Discussion started by: sncr24
4 Replies

3. Linux

Secondary groups not working with NFS (+LDAP)

I´m using LDAP for groups and NFS for home dirs. My problem is as follows: I only have a few groups, so it's not the problem everyone else had. When I've mounted a disk over NFS, I need to have my primary group in order to read in the groups I'm a member of. Secondary groups is not working. ... (0 Replies)
Discussion started by: velmont
0 Replies

4. UNIX for Advanced & Expert Users

sudoers file

i have defined a rule in the sudoers file so a specific user is able to run some commands as sudo with no password. my question is: is it possible to restrict a user to run commands as sudo only in a certain directory? for example: chown only the files that are located in /var/tmp. Thank you. ... (2 Replies)
Discussion started by: noam128
2 Replies

5. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

6. Shell Programming and Scripting

Addsudoers: A script to add users or groups into /etc/sudoers

Well, sudo is a great tool for delegating permissions among admins. But, it's really hard to find a great tool which would give an interactive way of editing /etc/sudoers file. Now, when I say "editing", I really refer to add new groups, users, aliases in the /etc/sudoers file. visudo is great... (2 Replies)
Discussion started by: admin_xor
2 Replies

7. UNIX for Dummies Questions & Answers

ldap , search groups that user belong

i want run query to identify witch groups that user A belong, CN=name,CN=Users,DC=mydomain ?? (1 Reply)
Discussion started by: prpkrk
1 Replies

8. UNIX for Dummies Questions & Answers

Help with Sudoers file

Hi using Solaris 10. trying to update /etc/sudoers file I need to add all the fist level operation team. This is what I have but it doesn't seem to work. Please help.Error message sudo su - >>> sudoers file: parse error, line 9 <<< >>> sudoers file: parse error, line 9 <<< ... (2 Replies)
Discussion started by: samnyc
2 Replies

9. Solaris

Sudoers file

In the sudoers file in Solaris... I am trying to limit the DEVELOPER user privileges to where those users can only use the “rm” command in certain directories. This is to prevent them from deleting directories or files and destroying a server. I want them to be able to use the "rm" command but... (1 Reply)
Discussion started by: nzonefx
1 Replies

10. UNIX and Linux Applications

LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?

Hello :) we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin: Sysadmin is allowed to... (0 Replies)
Discussion started by: darktux
0 Replies

LEARN ABOUT SUNOS

id

id(1M)							  System Administration Commands						    id(1M)

NAME

       id - return user identity

SYNOPSIS

       /usr/bin/id [-p] [user]

       /usr/bin/id -a [-p] [user]

       /usr/xpg4/bin/id [-p] [user]

       /usr/xpg4/bin/id -G [-n] [user]

       /usr/xpg4/bin/id -g [-nr] [user]

       /usr/xpg4/bin/id -u [-nr] [user]

DESCRIPTION

       If  no  user  operand  is provided, the id utility writes the user and group IDs and the corresponding user and group names of the invoking
       process to standard output. If the effective and real IDs do not match, both are written. If multiple groups are supported by the  underly-
       ing system, /usr/xpg4/bin/id also writes the supplementary group affiliations of the invoking process.

       If  a  user operand is provided and the process has the appropriate privileges, the user and group IDs of the selected user are written. In
       this case, effective IDs are assumed to be identical to real IDs. If the selected user has more than one allowable group membership  listed
       in the group database, /usr/xpg4/bin/id writes them in the same manner as the supplementary groups described in the preceding paragraph.

   Formats
       The following formats are used when the LC_MESSAGES locale category specifies the "C" locale. In other locales, the strings uid, gid, euid,
       egid, and groups may be replaced with more appropriate strings corresponding to the locale.

       "uid=%u(%s) gid=%u(%s)
" <real user ID>, <user-name>,
	   <real group ID>, <group-name>

       If the effective and real user IDs do not match, the following are inserted immediately before the 
 character in the previous format:

       " euid=%u(%s)"

       with the following arguments added at the end of the argument list:

       <effective user ID>, <effective user-name>

       If the effective and real group IDs do not match, the following is inserted directly before the 
 character  in  the  format  string  (and
       after any addition resulting from the effective and real user IDs not matching):

       " egid=%u(%s)"

       with the following arguments added at the end of the argument list:

       <effectivegroup-ID>, <effectivegroupname>

       If  the	process  has  supplementary  group  affiliations  or the selected user is allowed to belong to multiple groups, the first is added
       directly before the NEWLINE character in the format string:

       " groups=%u(%s)"

       with the following arguments added at the end of the argument list:

       <supplementary group ID>, <supplementary group name>

       and the necessary number of the following added after that for any remaining supplementary group IDs:

       ",%u(%s)"

       and the necessary number of the following arguments added at the end of the argument list:

       <supplementary group ID>, <supplementary group name>

       If any of the user ID, group ID, effective user ID, effective group ID or supplementary/multiple group IDs cannot be mapped by  the  system
       into printable user or group names, the corresponding (%s) and name argument is omitted from the corresponding format string.

       When any of the options are specified, the output format is as described under OPTIONS.

OPTIONS

       The  following  option  is supported by both /usr/bin/id and /usr/xpg4/bin/id. For /usr/xpg4/bin/id, -p is invalid if specified with any of
       the -G, -g, or -u options.

       -p		       Reports additionally the current project membership of the invoking process. The  project  is  reported	using  the
			       format:

			       "projid=%u(%s)"

			       which is inserted prior to the 0fR character of the default format described in the Formats section. The arguments

			       <project ID>,<project name>

			       are  appended  to  the end of the argument list.  If the project ID cannot be mapped by the system into a printable
			       project name, the corresponding (%s) and name argument is omitted from the corresponding format string.

   /usr/bin/id
       The following option is supported for /usr/bin/id only:

       -a	Reports user name, user  ID and all the groups to which the user belongs.

   /usr/xpg4/bin/id
       The following options are supported for /usr/xpg4/bin/id only:

       -G	Outputs all different group IDs (effective, real and supplementary) only, using the format "%u
". If there is more than one  dis-
		tinct group affiliation, output each such affiliation, using the format " %u", before the NEWLINE character is output.

       -g	Outputs only the effective group ID, using the format "%u
".

       -n	Outputs the name in the format "%s" instead of the numeric ID using the format "%u".

       -r	Outputs the real ID instead of the effective ID.

       -u	Outputs only the effective user ID, using the format "%u
".

OPERANDS

       The following operand is supported:

       user	The user (login) name for which information is to be written.

ENVIRONMENT VARIABLES

       See  environ(5)	for  descriptions  of the following environment variables that affect the execution of id: LANG, LC_ALL, LC_CTYPE, LC_MES-
       SAGES, and NLSPATH.

EXIT STATUS

       The following exit values are returned:

       0	Successful completion.

       >0	An error occurred.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

   /usr/bin/id
       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu, SUNWcar		   |
       +-----------------------------+-----------------------------+

   /usr/xpg4/bin/id
       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWxcu4			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Standard			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       fold(1), logname(1), who(1), getgid(2), getgroups(2), getprojid(2), getuid(2), attributes(5), environ(5), standards(5)

NOTES

       Output produced by the -G option and by the default case could potentially produce very long lines on systems that support large numbers of
       supplementary groups.

SunOS 5.10							    24 Jan 2000 							    id(1M)
All times are GMT -4. The time now is 09:52 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy