Problems Hooking Sudoers into PAM/LDAP


 
Thread Tools Search this Thread
Special Forums UNIX and Linux Applications Problems Hooking Sudoers into PAM/LDAP
# 1  
Old 11-10-2010
Question Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here..

At this point I have an openLDAP server that is working quite splendidly! Smilie

I have a working directory with users able to authenticate it and TLS turned on and it is ALL happening through PAM!! Well almost all of it..

The one sticking point I am currently having is getting sudoers to authenticate against LDAP.

Both client and server are CentOS 5.4. On the client I have my /etc/ldap.conf file setup like this:

Code:
URI ldap://ldap.acadaca.net/
BASE dc=acadaca,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
pam_login_attribute     uid
pam_lookup_policy       yes
pam_password            exop
nss_base_passwd         ou=staff,dc=acadaca,dc=net
sudoers_debug 2

I have added the user I am testing to a couple of groups (two regular
DNs and one posixGroup) all of which had the sudoRole objectClass in
the hopes that this might be related to the issue:

Code:
46 cn=%sa,ou=sudoers,ou=Services,dc=acadaca,dc=net
objectClass: top
objectClass: sudoRole
cn: %sa
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoUser: %sa
sudoUser: bluethundr


50 cn=role1,ou=sudoers,ou=Services,dc=acadaca,dc=net
objectClass: sudoRole
objectClass: top
cn: role1
sudoUser: bluethundr
sudoHost: ALL
sudoCommand: ALL

51 cn=sa,ou=Group,dc=acadaca,dc=net
objectClass: posixGroup
objectClass: top
cn: sa
userPassword: {crypt}*
gidNumber: 20004

However that didn't seem to do the trick. When I do attempt to sudo from the client machine this is what I see on the command line:

Code:
[bluethundr@VIRCENT03:~]#sudo bash
[sudo] password for bluethundr:
bluethundr is not in the sudoers file.  This incident will be reported.
[bluethundr@VIRCENT03:~]#sudo -l
[sudo] password for bluethundr:
Sorry, user bluethundr may not run sudo on VIRCENT03.

Also I notice that the client can't seem to find it's groups stored in
LDAP even tho I would think that system auth would point sudoers
to them just as it does sshd and su.

Code:
[bluethundr@VIRCENT03:~]#groups bluethundr
id: cannot find name for group ID 1002

I am not entirely sure that this is a separate issue, honestly and I think it may be related.


The other pam services I am working with, su and sshd, trigger events in the openldap logs on the server. Everything is going smoothly with these services, apparently:

In the openldap logs on the server here is a sample of what I see:

Code:
Nov  9 14:03:56 ldap slapd[31269]: bdb_search_candidates: id=1 first=54 last=54
Nov  9 14:03:56 ldap slapd[31269]: => test_filter
Nov  9 14:03:56 ldap slapd[31269]:     AND
Nov  9 14:03:56 ldap slapd[31269]: => test_filter_and
Nov  9 14:03:56 ldap slapd[31269]: => test_filter
Nov  9 14:03:56 ldap slapd[31269]:     EQUALITY
Nov  9 14:03:56 ldap slapd[31269]: => access_allowed: search access to
"uid=bluethundr,ou=sa,ou=staff,dc=acadaca,dc=net" "objectClass"
requested
Nov  9 14:03:56 ldap slapd[31269]: => acl_get: [1] attr objectClass
Nov  9 14:03:56 ldap slapd[31269]: => acl_mask: access to entry
"uid=bluethundr,ou=sa,ou=staff,dc=acadaca,dc=net", attr "objectClass"
requested
Nov  9 14:03:56 ldap slapd[31269]: => acl_mask: to value by "", (=0)
Nov  9 14:03:56 ldap slapd[31269]: <= acl_mask: [1] applying read(=rscxd) (stop)
Nov  9 14:03:56 ldap slapd[31269]: <= acl_mask: [1] mask: read(=rscxd)
Nov  9 14:03:56 ldap slapd[31269]: => access_allowed: search access
granted by read(=rscxd)

I've attached a more complete log file that shows a little more context. What I've done was clear the openldap logs with an echo " " > statement just before sudoing to root on the client. And the attached logs are show what happened after the event. Honestly, I wish I was better at parsing these log files but unfortunately I'm not quite there as of yet. Smilie

Back on the client side I see this noticeable event, amongst quite a lot of successful pam events in the secure log:

Code:
Nov  9 15:37:39 VIRCENT03 sudo: bluethundr : user NOT in sudoers ;
TTY=pts/3 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash

I've also attached a more complete secure log showing a bit more context.

And lastly I've included a copy of my schema in the hopes that that may help.

Thanks again for any input you may have.
# 2  
Old 11-10-2010
Lets start from the beginning:
What version of sudo are you using?

Did you go through this doc:
http://www.courtesan.com/sudo/readme_ldap.html

Last edited by vbe; 11-10-2010 at 10:58 AM.. Reason: added link
# 3  
Old 11-10-2010
Java Problems Hooking Sudoers into PAM/LDAP

[QUOTE=vbe;302470511]Lets start from the beginning:
What version of sudo are you using?[/QUOTE}

Hello! Here is my (surprisingly verbose) sudo -V output:

Code:
[root@VIRCENT03:~]#sudo -V
Sudo version 1.7.2p1

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p: 
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/libexec/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
	TERM
	LINGUAS
	LC_*
	LANGUAGE
	LANG
	COLORTERM
Environment variables to remove:
	RUBYOPT
	RUBYLIB
	PYTHONINSPECT
	PYTHONPATH
	PYTHONHOME
	TMPPREFIX
	ZDOTDIR
	READNULLCMD
	NULLCMD
	FPATH
	PERL5DB
	PERL5OPT
	PERL5LIB
	PERLLIB
	PERLIO_DEBUG 
	JAVA_TOOL_OPTIONS
	SHELLOPTS
	GLOBIGNORE
	PS4
	BASH_ENV
	ENV
	TERMCAP
	TERMPATH
	TERMINFO_DIRS
	TERMINFO
	_RLD*
	LD_*
	PATH_LOCALE
	NLSPATH
	HOSTALIASES
	RES_OPTIONS
	LOCALDOMAIN
	CDPATH
	IFS
Environment variables to preserve:
	XAUTHORIZATION
	XAUTHORITY
	TZ
	PS2
	PS1
	PATH
	MAIL
	LS_COLORS
	KRB5CCNAME
	HOSTNAME
	HOME
	DISPLAY
	COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
	192.168.1.25 / 255.255.255.0
	fe80::216:36ff:fe05:dc53 / ffff:ffff:ffff:ffff::

Quote:
Did you go through this doc:
Sudo README.LDAP
Yes, I actually have gone through this doc... but l will try giving it another read through..

thank you very much for your reply!!
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Configure samba with PAM point 2 different LDAP

Hi, I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA. Is possibile duplicate the... (2 Replies)
Discussion started by: mark888
2 Replies

2. OS X (Apple)

Mac OS X LDAP client not accepting ssh or console logins (PAM error)

Hi Folks, I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success. I've "Joined" to my network Account Server, and set my LDAP Mappings to... (2 Replies)
Discussion started by: jlh
2 Replies

3. UNIX and Linux Applications

LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?

Hello :) we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin: Sysadmin is allowed to... (0 Replies)
Discussion started by: darktux
0 Replies

4. Cybersecurity

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Discussion started by: powelltallen
1 Replies

5. Shell Programming and Scripting

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Discussion started by: powelltallen
0 Replies

6. Solaris

LDAP, PAM or SSHD?

Hi, I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above) nsswitch.ldap: passwd: files ldap group: files ldap hosts: files dns ipnodes: ... (0 Replies)
Discussion started by: mpcavalcanti
0 Replies

7. Solaris

sudoers file with groups in LDAP

Hello gurus, I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The... (6 Replies)
Discussion started by: em23
6 Replies

8. UNIX for Advanced & Expert Users

PAM LDAP Passwort

Hallo miteinander, ich bin gerade dabei ein eigenes C-Programm zuschreiben um mich über PAM auf einen LDAP Server zu authentifizieren. ... (2 Replies)
Discussion started by: saschaLin
2 Replies

9. UNIX for Advanced & Expert Users

pam ldap limit authentication

I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins. The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username At the... (0 Replies)
Discussion started by: hassan1
0 Replies
Login or Register to Ask a Question