Hi,
I am trying to acheive centralizing SUDO, but facing an issue,i suspect its something to do with sudoers.schema, May be am wrong. I think somehow the slapd process is not able to read it. Please suggest how to fix the issue.
My LDAP structure is like : dc=example,dc=com Under this I have OU=People and i have created a OU called SUDOers. Then i have used the sudoers2ldif to generate the LDIF file for me. I have setted the env variable SUDOERS_BASE=ou=SUDOers,dc=example,dc=com. Then when am trying to add the ldif file it shows me below error. t710x02-6:/etc/openldap/schema # ldapadd -f /opt/newsudo.ldif -h 127.0.0.1 -D cn=Manager,dc=example,dc=com -W -x Enter LDAP Password: adding new entry "cn=defaults,ou=SUDOers,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
sudoers.ldif dn: cn=defaults,ou=SUDOers,dc=example,dc=com #objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: always_set_home sudoOption: env_reset sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" sudoOption: targetpw
dn: cn=ALL,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: ALL sudoUser: ALL sudoHost: ALL sudoRunas: ALL sudoCommand: ALL
dn: cn=root,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunas: ALL sudoCommand: ALL
dn: cn=prad,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: prad sudoUser: prad sudoHost: ALL sudoRunas: ALL sudoCommand: ALL
sudoers.schema # # OpenLDAP schema file for Sudo # Save as /etc/openldap/schema/sudo.schema #
attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
Please help me to solve this issue.
I am using SLES 11 and SUDO 1.6.9p17
Regards, Neo
On Monday, 16 May 2011 17:38:31 pradyumna dash wrote:
Hi,
I am trying to acheive centralizing SUDO, but facing an issue,i suspect its something to do with sudoers.schema, May be am wrong. I think somehow the slapd process is not able to read it. Please suggest how to fix the issue.
[...]
t710x02-6:/etc/openldap/schema # ldapadd -f /opt/newsudo.ldif -h 127.0.0.1 -D cn=Manager,dc=example,dc=com -W -x Enter LDAP Password: adding new entry "cn=defaults,ou=SUDOers,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
sudoers.ldif dn: cn=defaults,ou=SUDOers,dc=example,dc=com #objectClass: top objectClass: sudoRole cn: defaults
Please verify that you have actually included the sudoers.schema in your configuration, and that slapd was restarted after that.
You could check that the objectclass exists in your server. In my case:
$ ldapsearch -x -s base -b cn=subschema objectclasses|perl -p0e 's/\n //g' | grep -i sudo objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) )
Regards, Buchan
Hi Buchan,
Thanks for your reply. I have tried but the schema is not getting loaded, dont know why. I have tried the same setup with centos and redhat it looks perfect. I am using SuSE Enterprise 11.
Regards, Pradyumna On Tue, May 17, 2011 at 9:11 AM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Monday, 16 May 2011 17:38:31 pradyumna dash wrote:
Hi,
I am trying to acheive centralizing SUDO, but facing an issue,i suspect its something to do with sudoers.schema, May be am wrong. I think somehow the slapd process is not able to read it. Please suggest how to fix the issue.
[...]
t710x02-6:/etc/openldap/schema # ldapadd -f /opt/newsudo.ldif -h 127.0.0.1 -D cn=Manager,dc=example,dc=com -W -x Enter LDAP Password: adding new entry "cn=defaults,ou=SUDOers,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
sudoers.ldif dn: cn=defaults,ou=SUDOers,dc=example,dc=com #objectClass: top objectClass: sudoRole cn: defaults
Please verify that you have actually included the sudoers.schema in your configuration, and that slapd was restarted after that.
You could check that the objectclass exists in your server. In my case:
$ ldapsearch -x -s base -b cn=subschema objectclasses|perl -p0e 's/\n //g' | grep -i sudo objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) )
Regards, Buchan
Am Freitag 20 Mai 2011, 14:35:31 schrieb pradyumna dash:
Hi Buchan,
Thanks for your reply. I have tried but the schema is not getting loaded, dont know why.
How did you try adding the schema? What error messages did you get? Are you using slapd.conf or back-config?
I have tried the same setup with centos and redhat it looks perfect. I am using SuSE Enterprise 11.
Regards, Pradyumna
On Tue, May 17, 2011 at 9:11 AM, Buchan Milne
bgmilne@staff.telkomsa.netwrote:
On Monday, 16 May 2011 17:38:31 pradyumna dash wrote:
Hi,
I am trying to acheive centralizing SUDO, but facing an issue,i suspect its something to do with sudoers.schema, May be am wrong. I think somehow the slapd process is not able to read it. Please suggest how to fix the issue.
[...]
t710x02-6:/etc/openldap/schema # ldapadd -f /opt/newsudo.ldif -h 127.0.0.1 -D cn=Manager,dc=example,dc=com -W -x Enter LDAP Password: adding new entry "cn=defaults,ou=SUDOers,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
sudoers.ldif dn: cn=defaults,ou=SUDOers,dc=example,dc=com #objectClass: top objectClass: sudoRole cn: defaults
Please verify that you have actually included the sudoers.schema in your configuration, and that slapd was restarted after that.
You could check that the objectclass exists in your server. In my case:
$ ldapsearch -x -s base -b cn=subschema objectclasses|perl -p0e 's/\n //g'
grep -i sudo objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) )
Ralf
openldap-technical@openldap.org
-
Buchan Milne -
pradyumna dash -
Ralf Haferkamp