Thanks Buchan for your inputs.
I am using openldap-2.4.25 on RHEL5.4.
sudo -V as root
Sudo version 1.7.2p1
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
I could configure the sudoers and it is working now.
The change i did was i removed all the changes made to /etc/pam.d/login file and in
/etc/nswitch.conf added the entry
sudoer : files ldap
Thanks for your suggestions.
Regards,
Naga Chaitanya
________________________________________
From: Buchan Milne [bgmilne(a)staff.telkomsa.net]
Sent: Monday, August 29, 2011 8:14 PM
To: openldap-technical(a)openldap.org
Cc: Naga Chaitanya Palle
Subject: Re: sudoers: not able to execute commands with sudo
On Monday, 29 August 2011 14:07:39 Naga Chaitanya Palle wrote:
Hi,
I have configured sudoers in my environment.
You may want to provide more detail on the environment (OS/distro, which LDAP-
base naming service - e.g. nss_ldap, pam-nss-ldapd etc. you are using).
But when I try to execute a
command using sudo, the commands fails to get executed saying "sysadmin is
not in the sudoers file. This incident will be reported." .
I am using sysadmin account as mentioned in the below sudoers ldif file.
login as: sysadmin
sysadmin(a)10.150.14.144's password:
Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158
Could not chdir to home directory /home/sysadmin: No such file or directory
Maybe you need to add pam_mkhomedir to /etc/pam.d/system-auth ?
-bash-3.2$ sudo ls
[sudo] password for sysadmin:
sysadmin is not in the sudoers file. This incident will be reported.
-bash-3.2$ sudo -V
Sudo version 1.7.2p1
It would be more instructive to run 'sudo -V' as root.
-bash-3.2$ sudo -l
[sudo] password for sysadmin:
Sorry, user sysadmin may not run sudo on devonly144.
-bash-3.2
Since some of your sudo rules are group-based, you may want to provide the
output of 'id' or 'groups' here.
On Server the sudoers file is
/etc/openldap/slapd.conf
include /usr/share/openldap2.4/schema/sudo.schema
index sudoUser eq
/etc/openldap/ldap.conf
sudoers_base ou=SUDOers,dc=comverse-in,dc=com
This is probably the wrong ldap.conf, this should probably be one of
/etc/ldap.conf, /etc/nss_ldap.conf, /etc/sudo-ldap.conf, depending on the
distribution.
sudoers.ldif
# SUDOers,
comverse-in.com
dn: ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: syslog=auth
dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoUser: sysadmin
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: operator
sudoUser: operator
sudoHost: ALL
sudoCommand: /usr/sbin/dump
sudoCommand: /usr/sbin/rdump
sudoCommand: /usr/sbin/restore
sudoCommand: /usr/sbin/rrestore
sudoCommand: /usr/bin/mt
sudoCommand: /usr/bin/kill
sudoCommand: /usr/sbin/shutdown
sudoCommand: /usr/sbin/halt
sudoCommand: /usr/sbin/reboot
sudoCommand: /usr/sbin/lpc
sudoCommand: /usr/bin/lprm
sudoCommand: sudoedit /etc/printcap
sudoCommand: /usr/oper/bin/
dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com
objectClass: top
objectClass: sudoRole
cn: ALL
sudoUser: ALL
sudoHost: orion
sudoCommand: /sbin/umount /CDROM
sudoCommand: /sbin/mount -o nosuid\
sudoCommand: nodev /dev/cd0a /CDROM
sudoOption: !authenticate
On client:
/etc/ldap.conf
sudoers_base ou=SUDOers,dc=comverse-in,dc=com
nss_base_passwd ou=People,dc=comverse-in,dc=com?one
nss_base_shadow ou=People,dc=comverse-in,dc=com?one
nss_base_group ou=Group,dc=comverse-in,dc=com?one
Please check that this is the correct configuration file, according to 'sudo -
V' output as root.
/etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so auth include system-auth
auth required pam_securetty.so
auth sufficient pam_ldap.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_nologin.so
account include system-auth
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password include system-auth
password sufficient pam_ldap.so
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session sufficient pam_ldap.so
session required pam_stack.so service=system-auth
session optional pam_console.so
session required /lib/security/pam_limits.so
In most environments it is preferable to configure LDAP authentication in a
single service file that is referenced by the others, in this case
/etc/pam.d/system-auth, rather than the individual service files.
/etc/nsswitch.conf
passwd: ldap files
shadow: ldap files
group: ldap files
In 1.7.x you may need to add:
sudoers: files ldap
or similar to /etc/nsswitch.conf (depending on the sudo build-time
configuration, which you can see with 'sudo -V' as root).
Regards,
Buchan
===============================================================================
Please refer to
http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================