[root@fs1 etc]# more /etc/ldap.conf sudoers_debug: 1 [root@fs1 etc]# ls -l /etc/ldap.conf -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
Where should I see the extra output? I've had this set since last Friday and I'm not seeing any difference. On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <[email protected]> wrote: > Bret Wortman wrote: > >> F17. >> > > I think you want /etc/ldap.conf then. The easiest way to be sure the right > file is being used is to add sudoers_debug 1 to the file. This will present > a lot of extra output so you'll know the file is being read. > > rob > > >> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> Bret Wortman wrote: >> >> I had enabled debugging of sudo but am not clear on where that >> debugging >> is going. It's not stdout, and I'm not seeing anything in >> /var/log/messages. >> >> I'll try switching to SSS and see what that gets me. >> >> >> What distro is this? If it is RHEL 6.3 then put the configuration >> into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are >> incorrect (we are working on getting them fixed). >> >> rob >> >> >> >> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote: >> >> I'm pretty certain there's a painfully simple solution >> to this that >> I'm not seeing, but my current configuration isn't >> picking up the >> freeipa sudoer rule that I've set. >> >> /etc/nsswitch.conf specifies: >> sudoers: files ldap >> >> /etc/nslcd.conf contains: >> >> binddn >> uid=sudo,cn=sysaccounts,cn=___**_etc,dc=wedgeofli,dc=me >> >> >> bindpw password >> >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> >> bind_timelimit 5 >> timelimit 15 >> >> uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me> >> <http://fs1.wedgeofli.me> >> <http://fs1.wedgeofli.me> >> >> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me >> >> >> The sssd_DOMAIN.log file contains this when I try to >> sudo: >> >> >> <snip> >> >> The SSSD logs aren't showing anything wrong because they have >> nothing to do with the execution of the SUDO rules in this >> situation. All the SSSD is doing is verifying the >> authentication >> (when sudo prompts you for your password). >> >> The problem with the rule is most likely happening inside >> SUDO >> itself. When you specify 'sudoers: files, ldap' in >> nsswitch.conf, >> it's telling SUDO to use its own internal LDAP driver to >> look up the >> rules. So you need to check sudo logs to see what's happening >> (probably you will need to enable debug logging in >> /etc/sudo.conf). >> >> Recent versions of SUDO (1.8.6 and later) have support for >> setting >> 'sudoers: files, sss' in nsswitch.conf which DOES use SSSD >> (1.9.0 >> and later) for lookups (and caching) of sudo rules. >> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> ______________________________**___________________ >> Freeipa-users mailing list >> [email protected] >> <mailto:Freeipa-users@redhat.**com<[email protected]> >> > >> >> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >> >> >> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> **> >> >> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> ______________________________**_________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> >> > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
