[root@fs1 etc]# more /etc/ldap.conf
sudoers_debug: 1
[root@fs1 etc]# ls -l /etc/ldap.conf
-rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf

Where should I see the extra output? I've had this set since last Friday
and I'm not seeing any difference.

On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Bret Wortman wrote:
>
>> F17.
>>
>
> I think you want /etc/ldap.conf then. The easiest way to be sure the right
> file is being used is to add sudoers_debug 1 to the file. This will present
> a lot of extra output so you'll know the file is being read.
>
> rob
>
>
>> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>>     Bret Wortman wrote:
>>
>>         I had enabled debugging of sudo but am not clear on where that
>>         debugging
>>         is going. It's not stdout, and I'm not seeing anything in
>>         /var/log/messages.
>>
>>         I'll try switching to SSS and see what that gets me.
>>
>>
>>     What distro is this? If it is RHEL 6.3 then put the configuration
>>     into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
>>     incorrect (we are working on getting them fixed).
>>
>>     rob
>>
>>
>>
>>         On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
>>         <sgall...@redhat.com <mailto:sgall...@redhat.com>
>>         <mailto:sgall...@redhat.com <mailto:sgall...@redhat.com>>> wrote:
>>
>>              On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
>>
>>                  I'm pretty certain there's a painfully simple solution
>>         to this that
>>                  I'm not seeing, but my current configuration isn't
>>         picking up the
>>                  freeipa sudoer rule that I've set.
>>
>>                  /etc/nsswitch.conf specifies:
>>                    sudoers:    files ldap
>>
>>                  /etc/nslcd.conf contains:
>>
>>                  binddn
>>         uid=sudo,cn=sysaccounts,cn=___**_etc,dc=wedgeofli,dc=me
>>
>>
>>                  bindpw password
>>
>>                  ssl start_tls
>>                  tls_cacertfile /etc/ipa/ca.crt
>>                  tls_checkpeer yes
>>
>>                  bind_timelimit 5
>>                  timelimit 15
>>
>>                  uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
>>         <http://fs1.wedgeofli.me>
>>                  <http://fs1.wedgeofli.me>
>>
>>                  sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
>>
>>
>>                  The sssd_DOMAIN.log file contains this when I try to
>> sudo:
>>
>>
>>              <snip>
>>
>>              The SSSD logs aren't showing anything wrong because they have
>>              nothing to do with the execution of the SUDO rules in this
>>              situation. All the SSSD is doing is verifying the
>>         authentication
>>              (when sudo prompts you for your password).
>>
>>              The problem with the rule is most likely happening inside
>> SUDO
>>              itself. When you specify 'sudoers: files, ldap' in
>>         nsswitch.conf,
>>              it's telling SUDO to use its own internal LDAP driver to
>>         look up the
>>              rules. So you need to check sudo logs to see what's happening
>>              (probably you will need to enable debug logging in
>>         /etc/sudo.conf).
>>
>>              Recent versions of SUDO (1.8.6 and later) have support for
>>         setting
>>              'sudoers: files, sss' in nsswitch.conf which DOES use SSSD
>>         (1.9.0
>>              and later) for lookups (and caching) of sudo rules.
>>
>>
>>
>>
>>         --
>>         Bret Wortman
>>         The Damascus Group
>>         Fairfax, VA
>>         http://bretwortman.com/
>>         http://twitter.com/BretWortman
>>
>>
>>
>>
>>         --
>>         Bret Wortman
>>         The Damascus Group
>>         Fairfax, VA
>>         http://bretwortman.com/
>>         http://twitter.com/BretWortman
>>
>>
>>
>>         ______________________________**___________________
>>         Freeipa-users mailing list
>>         Freeipa-users@redhat.com 
>> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com>
>> >
>>         
>> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users>
>>
>>         
>> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>> **>
>>
>>
>>
>>
>>
>> --
>> Bret Wortman
>> The Damascus Group
>> Fairfax, VA
>> http://bretwortman.com/
>> http://twitter.com/BretWortman
>>
>>
>>
>> ______________________________**_________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
>>
>>
>


-- 
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to