Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here..
At this point I have an openLDAP server that is working quite splendidly!
I have a working directory with users able to authenticate it and TLS turned on and it is ALL happening through PAM!! Well almost all of it..
The one sticking point I am currently having is getting sudoers to authenticate against LDAP.
Both client and server are CentOS 5.4. On the client I have my /etc/ldap.conf file setup like this:
I have added the user I am testing to a couple of groups (two regular
DNs and one posixGroup) all of which had the sudoRole objectClass in
the hopes that this might be related to the issue:
However that didn't seem to do the trick. When I do attempt to sudo from the client machine this is what I see on the command line:
Also I notice that the client can't seem to find it's groups stored in
LDAP even tho I would think that system auth would point sudoers
to them just as it does sshd and su.
I am not entirely sure that this is a separate issue, honestly and I think it may be related.
The other pam services I am working with, su and sshd, trigger events in the openldap logs on the server. Everything is going smoothly with these services, apparently:
In the openldap logs on the server here is a sample of what I see:
I've attached a more complete log file that shows a little more context. What I've done was clear the openldap logs with an echo " " > statement just before sudoing to root on the client. And the attached logs are show what happened after the event. Honestly, I wish I was better at parsing these log files but unfortunately I'm not quite there as of yet.
Back on the client side I see this noticeable event, amongst quite a lot of successful pam events in the secure log:
I've also attached a more complete secure log showing a bit more context.
And lastly I've included a copy of my schema in the hopes that that may help.
[QUOTE=vbe;302470511]Lets start from the beginning:
What version of sudo are you using?[/QUOTE}
Hello! Here is my (surprisingly verbose) sudo -V output:
Code:
[root@VIRCENT03:~]#sudo -V
Sudo version 1.7.2p1
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/libexec/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
MAIL
LS_COLORS
KRB5CCNAME
HOSTNAME
HOME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
192.168.1.25 / 255.255.255.0
fe80::216:36ff:fe05:dc53 / ffff:ffff:ffff:ffff::
Quote:
Did you go through this doc:
Sudo README.LDAP
Yes, I actually have gone through this doc... but l will try giving it another read through..
Hi,
I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA.
Is possibile duplicate the... (2 Replies)
Hi Folks,
I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success.
I've "Joined" to my network Account Server, and set my LDAP Mappings to... (2 Replies)
Hello :)
we use LDAP with sudoers about 4 years. Works fine. But we have one problem with members of the admingroup (wheel). This users can do every command with sudo and with there privat password. But when they also are member to another special group, like sysadmin:
Sysadmin is allowed to... (0 Replies)
Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command.
I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command.
I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Hi,
I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above)
nsswitch.ldap:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: ... (0 Replies)
Hello gurus,
I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The... (6 Replies)
I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins.
The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username
At the... (0 Replies)