Bret Wortman wrote:

I think you want /etc/ldap.conf then. The easiest way to be sure the right file is being used is to add sudoers_debug 1 to the file. This will present a lot of extra output so you'll know the file is being read.


On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <
<>> wrote:

    Bret Wortman wrote:

        I had enabled debugging of sudo but am not clear on where that
        is going. It's not stdout, and I'm not seeing anything in

        I'll try switching to SSS and see what that gets me.

    What distro is this? If it is RHEL 6.3 then put the configuration
    into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
    incorrect (we are working on getting them fixed).


        On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
        < <>
        < <>>> wrote:

             On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:

                 I'm pretty certain there's a painfully simple solution
        to this that
                 I'm not seeing, but my current configuration isn't
        picking up the
                 freeipa sudoer rule that I've set.

                 /etc/nsswitch.conf specifies:
                   sudoers:    files ldap

                 /etc/nslcd.conf contains:


                 bindpw password

                 ssl start_tls
                 tls_cacertfile /etc/ipa/ca.crt
                 tls_checkpeer yes

                 bind_timelimit 5
                 timelimit 15

                 uri ldap:// <>

                 sudoers_base ou=SUDOers,dc=wedgeofli,dc=me

                 The sssd_DOMAIN.log file contains this when I try to sudo:


             The SSSD logs aren't showing anything wrong because they have
             nothing to do with the execution of the SUDO rules in this
             situation. All the SSSD is doing is verifying the
             (when sudo prompts you for your password).

             The problem with the rule is most likely happening inside SUDO
             itself. When you specify 'sudoers: files, ldap' in
             it's telling SUDO to use its own internal LDAP driver to
        look up the
             rules. So you need to check sudo logs to see what's happening
             (probably you will need to enable debug logging in

             Recent versions of SUDO (1.8.6 and later) have support for
             'sudoers: files, sss' in nsswitch.conf which DOES use SSSD
             and later) for lookups (and caching) of sudo rules.

        Bret Wortman
        The Damascus Group
        Fairfax, VA

        Bret Wortman
        The Damascus Group
        Fairfax, VA

        Freeipa-users mailing list <>

Bret Wortman
The Damascus Group
Fairfax, VA

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to