Hello list!
I have configured an ldap server to include the sudo schema. In my slapd.conf file i have
the following entry in my schemas section:
include /usr/local/etc/openldap/schema/sudo.schema
On my one test client I have the following ldap.conf:
host 127.0.0.1
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=services,dc=summitnjhome,dc=com
bindpw secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
And in my nsswitch I have the following entry:
sudoers: ldap
I can authenticate and search through the pam_ldap account as well as anonymously.
I have my user account setup in the directory this way:
#
summitnjhome.com
dn: dc=summitnjhome,dc=com
dc: summitnjhome
objectClass: dcObject
objectClass: organization
o: Summit NJ Home
# staff,
summitnjhome.com
dn: ou=staff,dc=summitnjhome,dc=com
ou: staff
objectClass: organizationalUnit
# sudoers, Services,
summitnjhome.com
dn: ou=sudoers,ou=Services,dc=summitnjhome,dc=com
ou: sudoers
objectClass: organizationalUnit
objectClass: top
# defaults, sudoers, Services,
summitnjhome.com
dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
# %summitnjops, sudoers, Services,
summitnjhome.com
dn: cn=%summitnjops,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %summitnjops
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoUser: %summitnjops
sudoUser: bluethundr
# bluethundr, summitnjops, staff,
summitnjhome.com
dn: uid=bluethundr,ou=summitnjops,ou=staff,dc=summitnjhome,dc=com
uid: bluethundr
cn: Timothy P. Dunphy
givenName: Timothy P.
sn: Dude
mail: bluethundr(a)example.com
mailRoutingAddress: bluethundr(a)mail.example.com
mailHost:
mail.summitnjhome.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e0NSWVBUfWNySmg3NGtXbHRXeVE=
uidNumber: 1001
gidNumber: 1002
homeDirectory: /home/bluethundr
gecos: Timothy P.
loginShell: /bin/bash
But when I attempt to sudo from the user account, the ladap server searches the correct DN
but does not find the user account from what I can tell, tho I am still trying to get the
hang of parsing ldap log files:
[bluethundr@LBSD2:/usr/home/bluethundr]$sudo -i
Password:
bluethundr is not in the sudoers file. This incident will be reported.
From the log:
Jul 30 22:02:30 LBSD2 slapd[95958]: conn=349346 op=1 SRCH
base="ou=sudoers,ou=Services,dc=summitnjhome,dc=com" scope=2 deref=0
filter="(cn=defaults)"
I was hoping I could get some advice on how to perhaps adjust either the directory
structure or the ldap query so that the sudo user can be found.
I'm including my slapd.conf file, dump of the directory (named snjh.ldif) and more
complete logs in hopes that someone out there can help track down the solution to the
problem. The log file is basically a snapshot in time of the event when I try to log in as
the sudo user.
Thanks in advance!
Tim