Hi buddy,

are u able to check wether ldap support is compiled into your installed sudo?
This is just a hint, I don't know how to do that. :)

Bye.

On Sat, Mar 13, 2010 at 11:28, Zengming Zhang <nicegiving@gmail.com> wrote:
Hi everyone:

       Please help me, I can't get root level access rights(sudo) from
ldap.When I try to use sudo command, there is an error report:
       "user is not in the sudoers file.  This incident will be reported."

       I am going to build a cluster systems, there is a file server and some
client computers. The operating system of file server is Redhat
Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition.
       When users login on a client, the client will get user
authorization info from server and mount its HOME folder automatically.

       I installed openldap server(openldap-2.3.43-3.el5) on file-server, and
use libnss-ldapd, libpam-ldap, auth-client-config
ldap-auth-client and ldap-auth-config packages to change client's user
authorization methods.

       But the problem is I do can get user authorization info from the ldap
server, but I can't get root level access rights from ldap server as
followed the steps here:
http://www.gratisoft.us/sudo/man/sudoers.ldap.html.

##################
My server configurations are:

[1]/etc/openldap/slapd.conf:
------------------------------
The sudoers.schema has been included and indexed:
include         /etc/openldap/schema/sudoers.schema
index sudoUser                          eq

[2]/etc/ldap.conf:
------------------------------
sudoers_base has been set:
sudoers_base ou=SUDOers,dc=file-server

[3]Some contents in ldap database:
------------------------------
# SUDOers, file-server
dn: ou=SUDOers,dc=file-server
ou: SUDOers
objectClass: top
objectClass: organizationalUnit

# %sysadmins, SUDOers, file-server
dn: cn=%sysadmins,ou=SUDOers,dc=file-server
objectClass: top
objectClass: sudoRole
cn: %sysadmins
sudoUser: %sysadmins
sudoHost: ALL
sudoCommand: ALL

(sysadmins is a group name that I created in my ldap server, what I want
is user in this group can get root level access rights.)
##################

##################
My client configurations are:

[1]sudo-ldap:
------------------------------
A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2  has been
installed.

[2]/etc/ldap.conf:
------------------------------
sudoers_base has been set:
sudoers_base ou=SUDOers,dc=file-server

[3]/etc/nsswitch.conf
------------------------------
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this file.

# pre_auth-client-config # passwd:         compat
passwd: files ldap
# pre_auth-client-config # group:          compat
group: files ldap
# pre_auth-client-config # shadow:         compat
shadow: files ldap

# added by zengming, for sudo issue.
sudoers: ldap files

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

# pre_auth-client-config # netgroup:       nis
netgroup: nis

[4]I do can see that the user is in the sysadmins group as authorized
from ldap server:
jingna@zzm-desktop:~$ id
uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins)
##################

So, any ideas of you? Please let me know, thanks very much in advance!

Best wishes,
Zengming
--
Zengming Zhang <nicegiving@gmail.com>




--
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra