Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: sudoers file with groups in LDAP
Operating Systems Solaris sudoers file with groups in LDAP Post 302258086 by Perderabo on Thursday 13th of November 2008 09:16:45 PM
Old 11-13-2008
We do this all the time but we don't use NIS, just LDAP. I have noticed some language at Sun's site that the two don't mix. Only one I can find right now: passwd(1) - change login password and password attributes (man pages section 1: User Commands) - Sun Microsystems

Quote:
If all requirements are met, by default, the passwd command will consult /etc/nsswitch.conf to determine in which repositories to perform password update. It searches the passwd and passwd_compat entries. The sources (repositories) associated with these entries will be updated. However, the password update configurations supported are limited to the following cases. Failure to comply with the configurations will prevent users from logging onto the system. The password update configurations are:

passwd: files

passwd: files ldap

passwd: files nis

passwd: files nisplus

passwd: compat (==> files nis)

passwd: compat (==> files ldap)

passwd_compat: ldap

passwd: compat (==> files nisplus)

passwd_compat: nisplus
 

10 More Discussions You Might Find Interesting

1. Linux

sudoers file

Hi, I have edited 'sudoers' file to allow 'cads' user shutdown the system without providing a password. Can someone tell me what's wrong with my file? It's not working when I 'sudo SHUTDOWN' command: sudo: SHUTDOWN: command not found Thanks a lot! # Host alias specification... (4 Replies)
Discussion started by: whatisthis
4 Replies

2. Red Hat

LDAP auth, secondary groups doesnt works

RedHat ELS 5.2 & Sun directory getent passwd: works toto:*:1000:100:toto:/home/toto:/bin/bash getent group: works mygroup:*:10001:1000,1001 but id toto doesnt works :( uid=1000(toto) gid=100(users) groupes=100(users) BTW in /etc/ldap.conf i use a different mapping for the posix... (4 Replies)
Discussion started by: sncr24
4 Replies

3. Linux

Secondary groups not working with NFS (+LDAP)

I´m using LDAP for groups and NFS for home dirs. My problem is as follows: I only have a few groups, so it's not the problem everyone else had. When I've mounted a disk over NFS, I need to have my primary group in order to read in the groups I'm a member of. Secondary groups is not working. ... (0 Replies)
Discussion started by: velmont
0 Replies

4. UNIX for Advanced & Expert Users

sudoers file

i have defined a rule in the sudoers file so a specific user is able to run some commands as sudo with no password. my question is: is it possible to restrict a user to run commands as sudo only in a certain directory? for example: chown only the files that are located in /var/tmp. Thank you. ... (2 Replies)
Discussion started by: noam128
2 Replies

5. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

6. Shell Programming and Scripting

Addsudoers: A script to add users or groups into /etc/sudoers

Well, sudo is a great tool for delegating permissions among admins. But, it's really hard to find a great tool which would give an interactive way of editing /etc/sudoers file. Now, when I say "editing", I really refer to add new groups, users, aliases in the /etc/sudoers file. visudo is great... (2 Replies)
Discussion started by: admin_xor
2 Replies

7. UNIX for Dummies Questions & Answers

ldap , search groups that user belong

i want run query to identify witch groups that user A belong, CN=name,CN=Users,DC=mydomain ?? (1 Reply)
Discussion started by: prpkrk
1 Replies

8. UNIX for Dummies Questions & Answers

Help with Sudoers file

Hi using Solaris 10. trying to update /etc/sudoers file I need to add all the fist level operation team. This is what I have but it doesn't seem to work. Please help.Error message sudo su - >>> sudoers file: parse error, line 9 <<< >>> sudoers file: parse error, line 9 <<< ... (2 Replies)
Discussion started by: samnyc
2 Replies

9. Solaris

Sudoers file

In the sudoers file in Solaris... I am trying to limit the DEVELOPER user privileges to where those users can only use the “rm” command in certain directories. This is to prevent them from deleting directories or files and destroying a server. I want them to be able to use the "rm" command but... (1 Reply)
Discussion started by: nzonefx
1 Replies

10. UNIX and Linux Applications

LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?

Hello :) we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin: Sysadmin is allowed to... (0 Replies)
Discussion started by: darktux
0 Replies

LEARN ABOUT SUNOS

passwd

passwd(4)																 passwd(4)

NAME

       passwd - password file

SYNOPSIS

       /etc/passwd

       The file /etc/passwd is a local source of information about users' accounts. The password file can be used in conjunction with other naming
       sources, such as the NIS maps passwd.byname and passwd.bygid, data from the NIS+ passwd table, or password data stored on an  LDAP  server.
       Programs use the getpwnam(3C) routines to access this information.

       Each passwd entry is a single line of the form:

       username:password:uid:
       gid:gcos-field:home-dir:
       login-shell

       where

       username        is the user's login name. It is recommended that this field conform to the checks performed by pwck(1M).

       password        is  an  empty  field. The encrypted password for the user is in the corresponding entry in the /etc/shadow file. pwconv(1M)
		       relies on a special value of 'x' in the password field of /etc/passwd. If this value of 'x' exists in the password field of
		       /etc/passwd, this indicates that the password for the user is already in /etc/shadow and should not be modified.

       uid	       is the user's unique numerical ID for the system.

       gid	       is the unique numerical ID of the group that the user belongs to.

       gcos-field      is  the	user's real name, along with information to pass along in a mail-message heading. (It is called the gcos-field for
		       historical reasons.) An ``&'' (ampersand) in this field stands for the login name (in cases where the login name appears in
		       a user's real name).

       home-dir        is the pathname to the directory in which the user is initially positioned upon logging in.

       login-shell     is the user's initial shell program. If this field is empty, the default shell is /usr/bin/sh.

       The  maximum  value of the uid and gid fields is 2147483647. To maximize interoperability and compatibility, administrators are recommended
       to assign users a range of UIDs and GIDs below 60000 where possible.

       The password file is an ASCII file that resides in the /etc directory. Because the encrypted passwords on a secure system are  always  kept
       in  the shadow file, /etc/passwd has general read permission on all systems and can be used by routines that map between numerical user IDs
       and user names.

       Blank lines are treated as malformed entries in the passwd file and cause consumers of the file , such as getpwnam(3C), to fail.

       The password file can contain entries beginning with a `+' (plus sign) or '-' (minus sign) to selectively incorporate entries from  another
       naming service source, such as NIS, NIS+, or LDAP.

       A  line beginning with a '+' means to incorporate entries from the naming service source. There are three styles of the '+' entries in this
       file. A single + means to insert all the entries from the alternate naming service source at that point, while a +name means to insert  the
       specific  entry,  if  one  exists,  from the naming service source. A +@netgroup means to insert the entries for all members of the network
       group netgroup from the alternate naming service. If a +name entry has a non-null password, gcos, home-dir, or login-shell field, the value
       of that field overrides what is contained in the alternate naming service. The uid and gid fields cannot be overridden.

       A  line beginning with a `-' means to disallow entries from the alternate naming service. There are two styles of `-` entries in this file.
       -name means to disallow any subsequent entries (if any) for name (in this file or in a naming service), and -@netgroup  means  to  disallow
       any subsequent entries for all members of the network group netgroup.

       This  is  also  supported  by  specifying  ``passwd  :  compat''  in nsswitch.conf(4). The "compat" source might not be supported in future
       releases. The preferred sources are files followed by the identifier of a name service, such as nis or ldap. This has the effect of  incor-
       porating the entire contents of the naming service's passwd database or password-related information after the passwd file.

       Note that in compat mode, for every /etc/passwd entry, there must be a corresponding entry in the /etc/shadow file.

       Appropriate  precautions  must be taken to lock the /etc/passwd file against simultaneous changes if it is to be edited with a text editor;
       vipw(1B) does the necessary locking.

       Example 1: Sample passwd File

       The following is a sample passwd file:

       root:x:0:1:Super-User:/:/sbin/sh
       fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh

       and the sample password entry from nsswitch.conf:

       passwd: files ldap

       In this example, there are specific entries for users root and fred to assure that they can login even when the system is  running  single-
       user.  In  addition,  anyone whose password information is stored on an LDAP server will be able to login with their usual password, shell,
       and home directory.

       If the password file is:

       root:x:0:1:Super-User:/:/sbin/sh
       fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
       +

       and the password entry in nsswitch.conf is:

       passwd: compat

       then all the entries listed in the NIS passwd.byuid and passwd.byname maps will be effectively incorporated after the entries for root  and
       fred. If the password entry in nsswitch.conf is:

       passwd_compat: ldap
       passwd: compat

       then all password-related entries stored on the LDAP server will be incorporated after the entries for root and fred.

       The following is a sample passwd file when shadow does not exist:

       root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
       fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
       +john:
       +@documentation:no-login:
       +::::Guest

       The following is a sample passwd file when shadow does exist:

       root:##root:0:1:Super-User:/:/sbin/sh
       fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
       +john:
       +@documentation:no-login:
       +::::Guest

       In  this example, there are specific entries for users root and fred, to assure that they can log in even when the system is running stand-
       alone. The user john will have his password entry in the naming service source incorporated without change, anyone in the netgroup documen-
       tation  will  have  their password field disabled, and anyone else will be able to log in with their usual password, shell, and home direc-
       tory, but with a gcos field of Guest

       /etc/nsswitch.conf

       /etc/passwd

       /etc/shadow

       chgrp(1), chown(1), finger(1), groups(1),  login(1),  newgrp(1),  nispasswd(1),	passwd(1),  sh(1),  sort(1),  domainname(1M),  getent(1M),
       in.ftpd(1M),  passmgmt(1M),  pwck(1M),  pwconv(1M),  su(1M),  useradd(1M), userdel(1M), usermod(1M), a64l(3C), crypt(3C), getpw(3C), getpw-
       nam(3C), getspnam(3C), putpwent(3C), group(4), hosts.equiv(4), nsswitch.conf(4), shadow(4), environ(5), unistd.h(3HEAD)

								    28 Jul 2004 							 passwd(4)
All times are GMT -4. The time now is 07:57 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy