I'm setting up a centralized Kerberos/LDAP authentication system and trying to get sudo to use a) Kerberos for the password, and b) LDAP for a non-local user's group.

Locally on a client system "/etc/sudoers" specifies %sysadmin to be able to sudo to root. I don't need to move "sudoers" to LDAP just yet.

I've had success on some machines compiling sudo from source with --enable-kerb5 and --enable-ldap. But on many other systems sudo segfaults, or returns bus errors, and overall gave me nothing but grief.

So I'm looking for alternate ways of supplying sudo with a user's group. Is it possible to compile sudo (without kerberos and ldap support) and configure a pam.d file (/etc/pam.d/sudo) to interact with kerberos and LDAP? I created a sudo file with

auth sufficient pam_opie.so no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_krb5.so             warn try_first_pass

and running sudo (compiled with only a ./configure, no other options) as a non-local user I successfully authenticate, but then sudo has no idea of the group this user belongs to and says "not in the sudoers file". Is it possible to use PAM as a go-between for sudo and the remote LDAP system to provide sudo with the user's group info?

How has everyone else set up a central auth system? Seems to me sudo's configure script has some flaws and I don't want to rely on it. Maybe there's a better way, but aside from sudo acting up, the above would be a fine set up for me.

Any pointers appreciated.
- Darek
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to