Re: [BSD7] Openldap with SUDOers

On Tue, 03 Jun 2008, karim.bourenane_at_orange-ftgroup.com wrote:


> Hi Team, and All
>

Hello,
 
> I want to create a sudoers profile in my openldap, but i dont undestand 
> how to do.
> Actually in my Ldap i have :
> In slapd.conf
>         # Sudoers definition base
>         sudoers_base   ou=SUDOers,dc=domain,dc=com
>         sudoers_debug 0
> 
> Distinguished Name: ou=SUDOers,dc=domain,dc=com
> 
> Distinguished Name: cn=defaults,ou=SUDOers,dc=domain,dc=com
> With sudoOption:
>                 ignore_dot
>                 !mail_no_user
>                 log_host
>                 !syslog
>                 timestamp_timeout=10
> 
> Distinguished Name: cn=role1,ou=SUDOers,dc=domain,dc=com
> ObjetClass : Top and SudoRole
> sudoCommand : All
> sudoHost : ALL
> sudoOption: !authenticate
> sudoUser : login1,login2
> 
This part seems to be ok.

> When i connect and try command "sudo su"
> %sudo su
>         Password:
>         login1 is not in the sudoers file.  This incident will be 
> reported.
> 

To be sure that sudo don't use /etc/sudoers, please add
ignore_local_sudoers in sudoOptions for cn=defaults
Then, strings < /usr/bin/sudo | grep ldap | grep /
/etc/ldap/ldap.conf
(sorry, i'm using a debian for this time :P)

in /etc/ldap/ldap.conf
BASE    dc=XXXXX, dc=XX
URI     ldap://ip.ip.ip.ip

sudoers_base    ou=SUDOers,dc=XXXX,dc=XX
binddn          cn=sudoers,dc=XXXX,dc=XX
bindpw          secret
sudoers_debug        2

BE SURE TO HAVE TABULATIONS AND NO SPACE! (I loose 3 hours because of a
space!)


PS: If you prefer to speak french, don't hesitate to ask me via private
mail :)

-- 
Philippe Audeoud
FreeBSD Committer	| jadawin_at_FreeBSD.org