Visit Our UNIX and Linux User Community


sudoers file with groups in LDAP


 
Thread Tools Search this Thread
Operating Systems Solaris sudoers file with groups in LDAP
# 1  
Old 11-13-2008
sudoers file with groups in LDAP

Hello gurus,

I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The problem is that when a user tries to sudo to a user within their group(s) it errors out saying the user is not in the sudoers file. Also, when I do 'id -a username' it will show the uid, the gid and the group. Has anyone done this before, and if so, what am I missing?

Thanks,

==============================

nsswitch.conf
group: files nis ldap

sample of my sudoers file
##################
# User alias specification #
##################

User_Alias SYSADMIN=%sysadmin
User_Alias DBADMIN=%dba

##################
#Cmnd alias specification#
##################

#GID 14 SYSADMIN is for System Administrators who require ROOT access
# !!!NOTE - THIS GROUP GIVES ROOT ACCESS ON ALL SYSTEMS!!!!
Cmnd_Alias ROOTSHELLS =\
/bin/su -, \
/bin/sh, \
/bin/csh, \
/bin/bash, \
/usr/bin/bash, \
/bin/ksh


#GID 101 DBADMIN is used primarily for the DBA group
Cmnd_Alias DB_ADMIN=\
/bin/su - , \
/bin/sh , \
/bin/csh , \
/bin/su - oracle, \
/bin/kill ?*, \
/bin/rm -i ?*


#####################
# User privilege specification #
#####################

root ALL=(ALL) ALL
SYSADMIN ALL_SERVERS = NOPASSWD:ROOTSHELLS
DBADMIN ALL_SERVERS = DB_ADMIN
# 2  
Old 11-13-2008
We do this all the time but we don't use NIS, just LDAP. I have noticed some language at Sun's site that the two don't mix. Only one I can find right now: passwd(1) - change login password and password attributes (man pages section 1: User Commands) - Sun Microsystems

Quote:
If all requirements are met, by default, the passwd command will consult /etc/nsswitch.conf to determine in which repositories to perform password update. It searches the passwd and passwd_compat entries. The sources (repositories) associated with these entries will be updated. However, the password update configurations supported are limited to the following cases. Failure to comply with the configurations will prevent users from logging onto the system. The password update configurations are:

passwd: files

passwd: files ldap

passwd: files nis

passwd: files nisplus

passwd: compat (==> files nis)

passwd: compat (==> files ldap)

passwd_compat: ldap

passwd: compat (==> files nisplus)

passwd_compat: nisplus
# 3  
Old 11-13-2008
our passwd line looks like so:

passwd: files nis compat

the weird part about this, is that i was testing this on our dr servers and it worked fine. i also had a user test this from a different group and it worked fine as well. but when i attempt to do this on a prod server, i get the error, user abc is not in sudoers....

and our dr servers are setup exactly the same as our prod servers.
# 4  
Old 11-13-2008
Same os version and patch levels?
# 5  
Old 11-14-2008
Quote:
Originally Posted by Perderabo
Same os version and patch levels?
yep. all the same
# 6  
Old 11-14-2008
Then I'm stumped. But I bet it will work if you drop NIS.
# 7  
Old 11-14-2008
yeah...i think i got it figured out. i'm going to play around with it some more and i'll post my results after i test it IF it's successful. but thanks for your help perderabo!

Previous Thread | Next Thread
Test Your Knowledge in Computers #228
Difficulty: Easy
According to NetMarketShare, in September 2019 Linux had a 5% global market share of the desktop / laptop computer market.
True or False?

10 More Discussions You Might Find Interesting

1. UNIX and Linux Applications

LDAP - sudoers and the nopasswd flag - How can i set some commands for wheelgroup without password?

Hello :) we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin: Sysadmin is allowed to... (0 Replies)
Discussion started by: darktux
0 Replies

2. Solaris

Sudoers file

In the sudoers file in Solaris... I am trying to limit the DEVELOPER user privileges to where those users can only use the rm command in certain directories. This is to prevent them from deleting directories or files and destroying a server. I want them to be able to use the "rm" command but... (1 Reply)
Discussion started by: nzonefx
1 Replies

3. UNIX for Dummies Questions & Answers

Help with Sudoers file

Hi using Solaris 10. trying to update /etc/sudoers file I need to add all the fist level operation team. This is what I have but it doesn't seem to work. Please help.Error message sudo su - >>> sudoers file: parse error, line 9 <<< >>> sudoers file: parse error, line 9 <<< ... (2 Replies)
Discussion started by: samnyc
2 Replies

4. UNIX for Dummies Questions & Answers

ldap , search groups that user belong

i want run query to identify witch groups that user A belong, CN=name,CN=Users,DC=mydomain ?? (1 Reply)
Discussion started by: prpkrk
1 Replies

5. Shell Programming and Scripting

Addsudoers: A script to add users or groups into /etc/sudoers

Well, sudo is a great tool for delegating permissions among admins. But, it's really hard to find a great tool which would give an interactive way of editing /etc/sudoers file. Now, when I say "editing", I really refer to add new groups, users, aliases in the /etc/sudoers file. visudo is great... (2 Replies)
Discussion started by: admin_xor
2 Replies

6. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

7. UNIX for Advanced & Expert Users

sudoers file

i have defined a rule in the sudoers file so a specific user is able to run some commands as sudo with no password. my question is: is it possible to restrict a user to run commands as sudo only in a certain directory? for example: chown only the files that are located in /var/tmp. Thank you. ... (2 Replies)
Discussion started by: noam128
2 Replies

8. Linux

Secondary groups not working with NFS (+LDAP)

Im using LDAP for groups and NFS for home dirs. My problem is as follows: I only have a few groups, so it's not the problem everyone else had. When I've mounted a disk over NFS, I need to have my primary group in order to read in the groups I'm a member of. Secondary groups is not working. ... (0 Replies)
Discussion started by: velmont
0 Replies

9. Red Hat

LDAP auth, secondary groups doesnt works

RedHat ELS 5.2 & Sun directory getent passwd: works toto:*:1000:100:toto:/home/toto:/bin/bash getent group: works mygroup:*:10001:1000,1001 but id toto doesnt works :( uid=1000(toto) gid=100(users) groupes=100(users) BTW in /etc/ldap.conf i use a different mapping for the posix... (4 Replies)
Discussion started by: sncr24
4 Replies

10. Linux

sudoers file

Hi, I have edited 'sudoers' file to allow 'cads' user shutdown the system without providing a password. Can someone tell me what's wrong with my file? It's not working when I 'sudo SHUTDOWN' command: sudo: SHUTDOWN: command not found Thanks a lot! # Host alias specification... (4 Replies)
Discussion started by: whatisthis
4 Replies

Featured Tech Videos