Set up to two VMs called ldap.lab.local and client.ldap.local Configs/Info for ldap.lab.local:
[root@ldap etc]# cat /etc/centos-release CentOS release 6.5 (Final) [root@ldap etc]# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts URI ldap://ldap.lab.local BASE dc=lab,dc=local TLS_REQCERT allow [root@ldap etc]# rpm -qa |grep 389 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.15-34.el6_5.x86_64 389-console-1.1.7-1.el6.noarch 389-admin-console-1.1.8-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-adminutil-1.1.19-1.el6.x86_64 389-ds-base-1.2.11.15-34.el6_5.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-console-1.2.6-1.el6.noarch 389-dsgw-1.1.11-1.el6.x86_64 [root@ldap etc]# ldapsearch -x -ZZ # extended LDIF # # LDAPv3 # base <dc=lab,dc=local> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # lab.local dn: dc=lab,dc=local objectClass: top objectClass: domain dc: lab # Directory Administrators, lab.local dn: cn=Directory Administrators,dc=lab,dc=local objectClass: top objectClass: groupofuniquenames cn: Directory Administrators uniqueMember: cn=Directory Manager # Groups, lab.local dn: ou=Groups,dc=lab,dc=local objectClass: top objectClass: organizationalunit ou: Groups # People, lab.local dn: ou=People,dc=lab,dc=local objectClass: top objectClass: organizationalunit ou: People # Special Users, lab.local dn: ou=Special Users,dc=lab,dc=local objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts # Accounting Managers, Groups, lab.local dn: cn=Accounting Managers,ou=Groups,dc=lab,dc=local objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=Directory Manager # HR Managers, Groups, lab.local dn: cn=HR Managers,ou=Groups,dc=lab,dc=local objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries uniqueMember: cn=Directory Manager # QA Managers, Groups, lab.local dn: cn=QA Managers,ou=Groups,dc=lab,dc=local objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=Directory Manager # PD Managers, Groups, lab.local dn: cn=PD Managers,ou=Groups,dc=lab,dc=local objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries uniqueMember: cn=Directory Manager # SUDOers, lab.local dn: ou=SUDOers,dc=lab,dc=local ou: SUDOers objectClass: top objectClass: organizationalunit # root, SUDOers, lab.local dn: cn=root,ou=SUDOers,dc=lab,dc=local cn: root objectClass: top objectClass: sudorole sudoCommand: ALL sudoHost: ALL sudoRunAsUser: ALL sudoUser: root # test, lab.local dn: uid=test,dc=lab,dc=local givenName: test sn: test loginShell: /bin/bash uidNumber: 600 gidNumber: 10 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: test gecos: test cn: test homeDirectory: /home/test # defaults, SUDOers, lab.local dn: cn=defaults,ou=SUDOers,dc=lab,dc=local cn: defaults objectClass: top objectClass: sudorole sudoOption: env_keep+=SSH_AUTH_SOCK # test2, lab.local dn: uid=test2,dc=lab,dc=local givenName: test2 sn: test2 loginShell: /bin/bash uidNumber: 654 gidNumber: 10 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: test2 cn: test2 homeDirectory: /home/test2 # wheel, lab.local dn: cn=wheel,dc=lab,dc=local gidNumber: 10 memberUid: test2 objectClass: top objectClass: groupofuniquenames objectClass: posixgroup cn: wheel # wheel, SUDOers, lab.local dn: cn=wheel,ou=SUDOers,dc=lab,dc=local cn: wheel objectClass: top objectClass: sudorole sudoCommand: ALL sudoHost: ALL sudoUser: %wheel sudoRunAsUser: ALL # test, SUDOers, lab.local dn: cn=test,ou=SUDOers,dc=lab,dc=local cn: test objectClass: top objectClass: sudorole sudoCommand: ALL sudoHost: ALL sudoRunAsUser: ALL sudoUser: test # search result search: 3 result: 0 Success # numResponses: 18 # numEntries: 17 Configs/Info for client.lab.local: [root@client ~]# cat /etc/centos-release CentOS release 6.5 (Final) [root@client ~]# rpm -qa |grep sssd sssd-1.9.2-129.el6_5.4.x86_64 sssd-client-1.9.2-129.el6_5.4.x86_64 [root@client ~]# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts URI ldap://ldap.lab.local BASE dc=lab,dc=local TLS_REQCERT allow [root@client ~]# cat /etc/sssd/sssd.conf [domain/default] ldap_tls_reqcert = allow sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=lab,dc=local ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=lab,dc=local id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.lab.local/ cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, pam, sudo config_file_version = 2 domains = default [nss] [pam] [sudo] debug_level=6 [autofs] [ssh] [pac] -- [test@client ~]$ sudo -l [sudo] password for test: Matching Defaults entries for test on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=SSH_AUTH_SOCK User test may run the following commands on this host: (ALL) ALL [test@client ~]$ As you can see, sudo work for user 'test'. Now let's try 'test2': [test2@client ~]$ sudo -l [sudo] password for test2: User test2 is not allowed to run sudo on client. [test2@client ~]$ -- Output of ldap.lab.local:/var/log/dirsrv/slapd-ldap/access is: [root@ldap slapd-ldap]# cat access [07/Sep/2014:10:07:42 -0700] conn=103 op=25 SRCH base="dc=lab,dc=local" scope=2 filter="(&(uid=test2)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn memberOf nsUniqueId modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap" [07/Sep/2014:10:07:42 -0700] conn=103 op=25 RESULT err=0 tag=101 nentries=1 etime=0 [07/Sep/2014:10:07:42 -0700] conn=103 op=26 SRCH base="dc=lab,dc=local" scope=2 filter="(&(member=uid=test2,dc=lab,dc=local)(objectClass=posixGroup)(cn=*))" attrs="objectClass cn userPassword gidNumber nsUniqueId modifyTimestamp modifyTimestamp" [07/Sep/2014:10:07:42 -0700] conn=103 op=26 RESULT err=0 tag=101 nentries=0 etime=0 notes=P [07/Sep/2014:10:07:42 -0700] conn=108 fd=69 slot=69 connection from 192.168.199.98 to 192.168.199.99 [07/Sep/2014:10:07:42 -0700] conn=108 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [07/Sep/2014:10:07:42 -0700] conn=108 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [07/Sep/2014:10:07:42 -0700] conn=108 SSL 128-bit AES [07/Sep/2014:10:07:42 -0700] conn=108 op=1 BIND dn="uid=test2,dc=lab,dc=local" method=128 version=3 [07/Sep/2014:10:07:42 -0700] conn=108 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=test2,dc=lab,dc=local" [07/Sep/2014:10:07:42 -0700] conn=108 op=2 UNBIND [07/Sep/2014:10:07:42 -0700] conn=108 op=2 fd=69 closed - U1 [root@ldap slapd-ldap]# -- Both 'test' and 'test2' login fine with LDAP authentication. If it matters, ldap.lab.local has a self-signed certificate which was created by setupssl2.sh. Thanks for any suggestions.
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
