On Tuesday, 9 November 2010 00:07:27 Indexer wrote:
I have had a similar issue on my OpenLDAP setup. I have a posixgroup in ldap, into which i placed a list of users for sudo access, and it never works.
Works just fine here. Seems your nss setup is broken.
both full dn, and just the uid or id number of the user in the posixgroup dont work.
Sudo supports some LDAP based configuration from what i understand, but i think that is different to what you are trying to achieve in this case.
No, it is what the OP is trying to achieve.
Here is an example with sudo rules in LDAP, applied to groups that only exist in LDAP:
[bgmilne@saturn ~]$ grep bgmilne /etc/passwd [bgmilne@saturn ~]$ grep bgmilne /etc/group [bgmilne@saturn ~]$ groups sysadmins build developers dbas ispservices [bgmilne@saturn ~]$ sudo -l User bgmilne may run the following commands on this host:
LDAP Role: BUILD Commands: /usr/bin/eash /usr/local/bin/eash
[...]
[bgmilne@saturn ~]$ ldapsearch -LLL -x "(&(objectclass=sudoRole)(cn=BUILD))" dn: cn=BUILD,ou=SUDOers,dc=xxx.... objectClass: top objectClass: sudoRole cn: BUILD sudoHost: ALL sudoOption: !authenticate sudoUser: %sysadmins sudoUser: %build sudoCommand: /usr/bin/eash sudoCommand: /usr/local/bin/eash
[bgmilne@saturn ~]$ sudo eash [i] trying 192.168.123.16:5554 ... connected. Awaiting EAS central server validation ... granted. All privileged access to this host is audited. Exit your shell if you do not accept the conditions of privileged access to this host. [saturn:~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:system_r:unconfined_t
Regards, Buchan