sudoers file with groups in LDAP | Unix Linux Forums | Solaris

  Go Back    


Solaris The Solaris Operating System, usually known simply as Solaris, is a Unix-based operating system introduced by Sun Microsystems. The Solaris OS is now owned by Oracle.

sudoers file with groups in LDAP

Solaris


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 11-13-2008
em23's Avatar
em23 em23 is offline
Registered User
 
Join Date: May 2008
Last Activity: 9 February 2010, 1:46 PM EST
Location: Chicago
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
sudoers file with groups in LDAP

Hello gurus,

I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The problem is that when a user tries to sudo to a user within their group(s) it errors out saying the user is not in the sudoers file. Also, when I do 'id -a username' it will show the uid, the gid and the group. Has anyone done this before, and if so, what am I missing?

Thanks,

==============================

nsswitch.conf
group: files nis ldap

sample of my sudoers file
##################
# User alias specification #
##################

User_Alias SYSADMIN=%sysadmin
User_Alias DBADMIN=%dba

##################
#Cmnd alias specification#
##################

#GID 14 SYSADMIN is for System Administrators who require ROOT access
# !!!NOTE - THIS GROUP GIVES ROOT ACCESS ON ALL SYSTEMS!!!!
Cmnd_Alias ROOTSHELLS =\
/bin/su -, \
/bin/sh, \
/bin/csh, \
/bin/bash, \
/usr/bin/bash, \
/bin/ksh


#GID 101 DBADMIN is used primarily for the DBA group
Cmnd_Alias DB_ADMIN=\
/bin/su - , \
/bin/sh , \
/bin/csh , \
/bin/su - oracle, \
/bin/kill ?*, \
/bin/rm -i ?*


#####################
# User privilege specification #
#####################

root ALL=(ALL) ALL
SYSADMIN ALL_SERVERS = NOPASSWD:ROOTSHELLS
DBADMIN ALL_SERVERS = DB_ADMIN
Sponsored Links
    #2  
Old 11-13-2008
Perderabo's Avatar
Perderabo Perderabo is offline Forum Staff  
Unix Daemon (Administrator Emeritus)
 
Join Date: Aug 2001
Last Activity: 26 July 2014, 11:32 AM EDT
Location: Ashburn, Virginia
Posts: 9,895
Thanks: 58
Thanked 413 Times in 248 Posts
We do this all the time but we don't use NIS, just LDAP. I have noticed some language at Sun's site that the two don't mix. Only one I can find right now: passwd(1) - change login password and password attributes (man pages section 1: User Commands) - Sun Microsystems

Quote:
If all requirements are met, by default, the passwd command will consult /etc/nsswitch.conf to determine in which repositories to perform password update. It searches the passwd and passwd_compat entries. The sources (repositories) associated with these entries will be updated. However, the password update configurations supported are limited to the following cases. Failure to comply with the configurations will prevent users from logging onto the system. The password update configurations are:

passwd: files

passwd: files ldap

passwd: files nis

passwd: files nisplus

passwd: compat (==> files nis)

passwd: compat (==> files ldap)

passwd_compat: ldap

passwd: compat (==> files nisplus)

passwd_compat: nisplus
Sponsored Links
    #3  
Old 11-13-2008
em23's Avatar
em23 em23 is offline
Registered User
 
Join Date: May 2008
Last Activity: 9 February 2010, 1:46 PM EST
Location: Chicago
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
our passwd line looks like so:

passwd: files nis compat

the weird part about this, is that i was testing this on our dr servers and it worked fine. i also had a user test this from a different group and it worked fine as well. but when i attempt to do this on a prod server, i get the error, user abc is not in sudoers....

and our dr servers are setup exactly the same as our prod servers.
    #4  
Old 11-13-2008
Perderabo's Avatar
Perderabo Perderabo is offline Forum Staff  
Unix Daemon (Administrator Emeritus)
 
Join Date: Aug 2001
Last Activity: 26 July 2014, 11:32 AM EDT
Location: Ashburn, Virginia
Posts: 9,895
Thanks: 58
Thanked 413 Times in 248 Posts
Same os version and patch levels?
Sponsored Links
    #5  
Old 11-13-2008
em23's Avatar
em23 em23 is offline
Registered User
 
Join Date: May 2008
Last Activity: 9 February 2010, 1:46 PM EST
Location: Chicago
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by Perderabo View Post
Same os version and patch levels?
yep. all the same
Sponsored Links
    #6  
Old 11-13-2008
Perderabo's Avatar
Perderabo Perderabo is offline Forum Staff  
Unix Daemon (Administrator Emeritus)
 
Join Date: Aug 2001
Last Activity: 26 July 2014, 11:32 AM EDT
Location: Ashburn, Virginia
Posts: 9,895
Thanks: 58
Thanked 413 Times in 248 Posts
Then I'm stumped. But I bet it will work if you drop NIS.
Sponsored Links
    #7  
Old 11-13-2008
em23's Avatar
em23 em23 is offline
Registered User
 
Join Date: May 2008
Last Activity: 9 February 2010, 1:46 PM EST
Location: Chicago
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
yeah...i think i got it figured out. i'm going to play around with it some more and i'll post my results after i test it IF it's successful. but thanks for your help perderabo!
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Help with sudoers file - AIX victorbrca Security 0 02-01-2012 11:57 AM
Addsudoers: A script to add users or groups into /etc/sudoers admin_xor Shell Programming and Scripting 2 06-18-2011 08:06 PM
Problems Hooking Sudoers into PAM/LDAP bluethundr UNIX and Linux Applications 2 11-10-2010 11:33 AM
Secondary groups not working with NFS (+LDAP) velmont Linux 0 08-06-2009 11:04 AM
LDAP auth, secondary groups doesnt works sncr24 Red Hat 4 01-14-2009 08:26 AM



All times are GMT -4. The time now is 03:15 PM.