On Monday, 8 November 2010 22:16:51 bluethundr wrote:
Hello List
I am attempting to setup various pam modules to consult our new LDAP services in order to do what it needs to do. My LDAP server is FreeBSD but the clients are CentOS...
I have setup my /etc/pam.d sudo
If you have already setup /etc/pam.d/system-auth for LDAP (e.g. with authconfig), you should not need to make changes to other pam service files.
However, it appears your problem isn't authentication:
but even tho the user is part of the %wheel group under LDAP it is unable to sudo to any other account (including root). If I try to sudo this is what happens:
[bluethundr@VIRCENT03:~]#sudo bash [sudo] password for bluethundr: bluethundr is not in the sudoers file. This incident will be reported.
So authentication works. PAM doesn't do anything further here ...
It would appear that sudo support for ldap is compiled in:
[root@VIRCENT03:~]#ldd $(which sudo)| grep -i ldap libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00552000)
Well, now we are getting away from your $subject, which was asking about pam. This has *nothing* to do with PAM (applications wanting to authenticate via pam_ldap don't need to be linked to libldap).
This is how I setup my ldap.conf file
[root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
[...]
sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
sudo+ldap looks for that in /etc/ldap.conf. Please don't mix /etc/ldap.conf and /etc/openldap/ldap.conf.
In my openldap logs on the LDAP server there appears to be no activity when I sudo. however in the secure logs on the client I do..
[..]
Works there!
These logs are irrelevant. More interesting would be the logs on the server- side, to see if *any* searches are done. However, the 'sudo -l' output may be useful.
I do see other events in secure.log that appear to be pam successes however. am i interpreting this correctly that at least part of the system is communicating with pam on the ldap server?
PAM seems to work, as your password is accepted. Nothing further relates to pam at all. Everything else relates *only* to sudo. Please read your /usr/share/doc/sudo-*/README.LDAP file. For example, the coverage of the 'sudoers_debug' option may be interesting.
Regards, Buchan