Hello list!
I have configured an ldap server to include the sudo schema. In my slapd.conf file i have the following entry in my schemas section:
include /usr/local/etc/openldap/schema/sudo.schema
On my one test client I have the following ldap.conf:
host 127.0.0.1 base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=services,dc=summitnjhome,dc=com bindpw secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com
And in my nsswitch I have the following entry:
sudoers: ldap
I can authenticate and search through the pam_ldap account as well as anonymously.
I have my user account setup in the directory this way:
# summitnjhome.com dn: dc=summitnjhome,dc=com dc: summitnjhome objectClass: dcObject objectClass: organization o: Summit NJ Home
# staff, summitnjhome.com dn: ou=staff,dc=summitnjhome,dc=com ou: staff objectClass: organizationalUnit
# sudoers, Services, summitnjhome.com dn: ou=sudoers,ou=Services,dc=summitnjhome,dc=com ou: sudoers objectClass: organizationalUnit objectClass: top
# defaults, sudoers, Services, summitnjhome.com dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here
# %summitnjops, sudoers, Services, summitnjhome.com dn: cn=%summitnjops,ou=sudoers,ou=Services,dc=summitnjhome,dc=com objectClass: top objectClass: sudoRole cn: %summitnjops sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate sudoUser: %summitnjops sudoUser: bluethundr
# bluethundr, summitnjops, staff, summitnjhome.com dn: uid=bluethundr,ou=summitnjops,ou=staff,dc=summitnjhome,dc=com uid: bluethundr cn: Timothy P. Dunphy givenName: Timothy P. sn: Dude mail: bluethundr@example.com mailRoutingAddress: bluethundr@mail.example.com mailHost: mail.summitnjhome.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top userPassword:: e0NSWVBUfWNySmg3NGtXbHRXeVE= uidNumber: 1001 gidNumber: 1002 homeDirectory: /home/bluethundr gecos: Timothy P. loginShell: /bin/bash
But when I attempt to sudo from the user account, the ladap server searches the correct DN but does not find the user account from what I can tell, tho I am still trying to get the hang of parsing ldap log files:
[bluethundr@LBSD2:/usr/home/bluethundr]$sudo -i Password: bluethundr is not in the sudoers file. This incident will be reported.
From the log:
Jul 30 22:02:30 LBSD2 slapd[95958]: conn=349346 op=1 SRCH base="ou=sudoers,ou=Services,dc=summitnjhome,dc=com" scope=2 deref=0 filter="(cn=defaults)"
I was hoping I could get some advice on how to perhaps adjust either the directory structure or the ldap query so that the sudo user can be found.
I'm including my slapd.conf file, dump of the directory (named snjh.ldif) and more complete logs in hopes that someone out there can help track down the solution to the problem. The log file is basically a snapshot in time of the event when I try to log in as the sudo user.
Thanks in advance! Tim
openldap-technical@openldap.org