Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here..
At this point I have an openLDAP server that is working quite splendidly!
I have a working directory with users able to authenticate it and TLS turned on and it is ALL happening through PAM!! Well almost all of it..
The one sticking point I am currently having is getting sudoers to authenticate against LDAP.
Both client and server are CentOS 5.4. On the client I have my /etc/ldap.conf file setup like this:
Code:
URI ldap://ldap.acadaca.net/
BASE dc=acadaca,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
pam_login_attribute uid
pam_lookup_policy yes
pam_password exop
nss_base_passwd ou=staff,dc=acadaca,dc=net
sudoers_debug 2
I have added the user I am testing to a couple of groups (two regular
DNs and one posixGroup) all of which had the sudoRole objectClass in
the hopes that this might be related to the issue:
Code:
46 cn=%sa,ou=sudoers,ou=Services,dc=acadaca,dc=net
objectClass: top
objectClass: sudoRole
cn: %sa
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoUser: %sa
sudoUser: bluethundr
50 cn=role1,ou=sudoers,ou=Services,dc=acadaca,dc=net
objectClass: sudoRole
objectClass: top
cn: role1
sudoUser: bluethundr
sudoHost: ALL
sudoCommand: ALL
51 cn=sa,ou=Group,dc=acadaca,dc=net
objectClass: posixGroup
objectClass: top
cn: sa
userPassword: {crypt}*
gidNumber: 20004
However that didn't seem to do the trick. When I do attempt to sudo from the client machine this is what I see on the command line:
Code:
[bluethundr@VIRCENT03:~]#sudo bash
[sudo] password for bluethundr:
bluethundr is not in the sudoers file. This incident will be reported.
[bluethundr@VIRCENT03:~]#sudo -l
[sudo] password for bluethundr:
Sorry, user bluethundr may not run sudo on VIRCENT03.
Also I notice that the client can't seem to find it's groups stored in
LDAP even tho I would think that system auth would point sudoers
to them just as it does sshd and su.
Code:
[bluethundr@VIRCENT03:~]#groups bluethundr
id: cannot find name for group ID 1002
I am not entirely sure that this is a separate issue, honestly and I think it may be related.
The other pam services I am working with, su and sshd, trigger events in the openldap logs on the server. Everything is going smoothly with these services, apparently:
In the openldap logs on the server here is a sample of what I see:
Code:
Nov 9 14:03:56 ldap slapd[31269]: bdb_search_candidates: id=1 first=54 last=54
Nov 9 14:03:56 ldap slapd[31269]: => test_filter
Nov 9 14:03:56 ldap slapd[31269]: AND
Nov 9 14:03:56 ldap slapd[31269]: => test_filter_and
Nov 9 14:03:56 ldap slapd[31269]: => test_filter
Nov 9 14:03:56 ldap slapd[31269]: EQUALITY
Nov 9 14:03:56 ldap slapd[31269]: => access_allowed: search access to
"uid=bluethundr,ou=sa,ou=staff,dc=acadaca,dc=net" "objectClass"
requested
Nov 9 14:03:56 ldap slapd[31269]: => acl_get: [1] attr objectClass
Nov 9 14:03:56 ldap slapd[31269]: => acl_mask: access to entry
"uid=bluethundr,ou=sa,ou=staff,dc=acadaca,dc=net", attr "objectClass"
requested
Nov 9 14:03:56 ldap slapd[31269]: => acl_mask: to value by "", (=0)
Nov 9 14:03:56 ldap slapd[31269]: <= acl_mask: [1] applying read(=rscxd) (stop)
Nov 9 14:03:56 ldap slapd[31269]: <= acl_mask: [1] mask: read(=rscxd)
Nov 9 14:03:56 ldap slapd[31269]: => access_allowed: search access
granted by read(=rscxd)
I've attached a more complete log file that shows a little more context. What I've done was clear the openldap logs with an echo " " > statement just before sudoing to root on the client. And the attached logs are show what happened after the event. Honestly, I wish I was better at parsing these log files but unfortunately I'm not quite there as of yet.
Back on the client side I see this noticeable event, amongst quite a lot of successful pam events in the secure log:
Code:
Nov 9 15:37:39 VIRCENT03 sudo: bluethundr : user NOT in sudoers ;
TTY=pts/3 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash
I've also attached a more complete secure log showing a bit more context.
And lastly I've included a copy of my schema in the hopes that that may help.
I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins.
The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username
At the... (0 Replies)
Hello gurus,
I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The... (6 Replies)
Hi,
I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above)
nsswitch.ldap:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: ... (0 Replies)
Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command.
I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command.
I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Hello :)
we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin:
Sysadmin is allowed to... (0 Replies)
Hi Folks,
I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success.
I've "Joined" to my network Account Server, and set my LDAP Mappings to... (2 Replies)
Hi,
I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA.
Is possibile duplicate the... (2 Replies)
11-10-2010
Problems Hooking Sudoers into PAM/LDAP
