Hi everyone:
Please help me, I can't get root level access rights(sudo) from ldap.When I try to use sudo command, there is an error report: "user is not in the sudoers file. This incident will be reported."
I am going to build a cluster systems, there is a file server and some client computers. The operating system of file server is Redhat Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition. When users login on a client, the client will get user authorization info from server and mount its HOME folder automatically.
I installed openldap server(openldap-2.3.43-3.el5) on file-server, and use libnss-ldapd, libpam-ldap, auth-client-config ldap-auth-client and ldap-auth-config packages to change client's user authorization methods.
But the problem is I do can get user authorization info from the ldap server, but I can't get root level access rights from ldap server as followed the steps here: http://www.gratisoft.us/sudo/man/sudoers.ldap.html.
################## My server configurations are:
[1]/etc/openldap/slapd.conf: ------------------------------ The sudoers.schema has been included and indexed: include /etc/openldap/schema/sudoers.schema index sudoUser eq
[2]/etc/ldap.conf: ------------------------------ sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server
[3]Some contents in ldap database: ------------------------------ # SUDOers, file-server dn: ou=SUDOers,dc=file-server ou: SUDOers objectClass: top objectClass: organizationalUnit
# %sysadmins, SUDOers, file-server dn: cn=%sysadmins,ou=SUDOers,dc=file-server objectClass: top objectClass: sudoRole cn: %sysadmins sudoUser: %sysadmins sudoHost: ALL sudoCommand: ALL
(sysadmins is a group name that I created in my ldap server, what I want is user in this group can get root level access rights.) ##################
################## My client configurations are:
[1]sudo-ldap: ------------------------------ A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been installed.
[2]/etc/ldap.conf: ------------------------------ sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server
[3]/etc/nsswitch.conf ------------------------------ # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap
# added by zengming, for sudo issue. sudoers: ldap files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
# pre_auth-client-config # netgroup: nis netgroup: nis
[4]I do can see that the user is in the sysadmins group as authorized from ldap server: jingna@zzm-desktop:~$ id uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins) ##################
So, any ideas of you? Please let me know, thanks very much in advance!
Best wishes, Zengming
Hi buddy,
are u able to check wether ldap support is compiled into your installed sudo? This is just a hint, I don't know how to do that. :)
Bye.
On Sat, Mar 13, 2010 at 11:28, Zengming Zhang nicegiving@gmail.com wrote:
Hi everyone:
Please help me, I can't get root level access rights(sudo) from
ldap.When I try to use sudo command, there is an error report: "user is not in the sudoers file. This incident will be reported."
I am going to build a cluster systems, there is a file server and
some client computers. The operating system of file server is Redhat Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition. When users login on a client, the client will get user authorization info from server and mount its HOME folder automatically.
I installed openldap server(openldap-2.3.43-3.el5) on file-server,
and use libnss-ldapd, libpam-ldap, auth-client-config ldap-auth-client and ldap-auth-config packages to change client's user authorization methods.
But the problem is I do can get user authorization info from the
ldap server, but I can't get root level access rights from ldap server as followed the steps here: http://www.gratisoft.us/sudo/man/sudoers.ldap.html.
################## My server configurations are:
[1]/etc/openldap/slapd.conf:
The sudoers.schema has been included and indexed: include /etc/openldap/schema/sudoers.schema index sudoUser eq
[2]/etc/ldap.conf:
sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server
[3]Some contents in ldap database:
# SUDOers, file-server dn: ou=SUDOers,dc=file-server ou: SUDOers objectClass: top objectClass: organizationalUnit
# %sysadmins, SUDOers, file-server dn: cn=%sysadmins,ou=SUDOers,dc=file-server objectClass: top objectClass: sudoRole cn: %sysadmins sudoUser: %sysadmins sudoHost: ALL sudoCommand: ALL
(sysadmins is a group name that I created in my ldap server, what I want is user in this group can get root level access rights.) ##################
################## My client configurations are:
[1]sudo-ldap:
A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been installed.
[2]/etc/ldap.conf:
sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server
[3]/etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap
# added by zengming, for sudo issue. sudoers: ldap files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
# pre_auth-client-config # netgroup: nis netgroup: nis
[4]I do can see that the user is in the sysadmins group as authorized from ldap server: jingna@zzm-desktop:~$ id uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins) ##################
So, any ideas of you? Please let me know, thanks very much in advance!
Best wishes, Zengming -- Zengming Zhang nicegiving@gmail.com
Am Sat, 13 Mar 2010 18:28:08 +0800 schrieb Zengming Zhang nicegiving@gmail.com:
Hi everyone:
Please help me, I can't get root level access rights(sudo) from ldap.When I try to use sudo command, there is an error report: "user is not in the sudoers file. This incident will be reported."
[...]
################## My server configurations are:
[1]/etc/openldap/slapd.conf:
The sudoers.schema has been included and indexed: include /etc/openldap/schema/sudoers.schema index sudoUser eq
Please provide access rules from slapd.conf
[...]
[2]/etc/ldap.conf:
sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server
see man ldap.conf(5) for proper configuration [...]
-Dieter
On Saturday, 13 March 2010 11:28:08 Zengming Zhang wrote:
Hi everyone:
Please help me, I can't get root level access rights(sudo) from ldap.When I try to use sudo command, there is an error report: "user is not in the sudoers file. This incident will be reported."
I am going to build a cluster systems, there is a file server and some client computers. The operating system of file server is Redhat Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition. When users login on a client, the client will get user authorization info from server and mount its HOME folder automatically.
I installed openldap server(openldap-2.3.43-3.el5) on file-server, and use libnss-ldapd, libpam-ldap, auth-client-config ldap-auth-client and ldap-auth-config packages to change client's user authorization methods.
But the problem is I do can get user authorization info from the ldap server, but I can't get root level access rights from ldap server as followed the steps here: http://www.gratisoft.us/sudo/man/sudoers.ldap.html.
################## My server configurations are:
[1]/etc/openldap/slapd.conf:
The sudoers.schema has been included and indexed: include /etc/openldap/schema/sudoers.schema index sudoUser eq
[2]/etc/ldap.conf:
sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server
[3]Some contents in ldap database:
# SUDOers, file-server dn: ou=SUDOers,dc=file-server ou: SUDOers objectClass: top objectClass: organizationalUnit
# %sysadmins, SUDOers, file-server dn: cn=%sysadmins,ou=SUDOers,dc=file-server objectClass: top objectClass: sudoRole cn: %sysadmins sudoUser: %sysadmins sudoHost: ALL sudoCommand: ALL
(sysadmins is a group name that I created in my ldap server, what I want is user in this group can get root level access rights.) ##################
################## My client configurations are:
[1]sudo-ldap:
A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been installed.
[2]/etc/ldap.conf:
sudoers_base has been set: sudoers_base ou=SUDOers,dc=file-server
[3]/etc/nsswitch.conf
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat passwd: files ldap # pre_auth-client-config # group: compat group: files ldap # pre_auth-client-config # shadow: compat shadow: files ldap
# added by zengming, for sudo issue. sudoers: ldap files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files
protocols: db files services: db files ethers: db files rpc: db files
# pre_auth-client-config # netgroup: nis netgroup: nis
[4]I do can see that the user is in the sysadmins group as authorized from ldap server: jingna@zzm-desktop:~$ id uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins) ##################
So, any ideas of you? Please let me know, thanks very much in advance!
Did you confirm that when you run 'sudo -l' or similar, sudo is actually doing an LDAP search?
Did you enable debugging in the sudo LDAP support, by e.g. adding:
sudoers_debug 2
to /etc/ldap.conf ?
Can you provide 'sudo -l' output?
Regards, Buchan
openldap-technical@openldap.org