Bret Wortman wrote:
[root@fs1 etc]# more /etc/ldap.conf
sudoers_debug: 1
[root@fs1 etc]# ls -l /etc/ldap.conf
-rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf

Where should I see the extra output? I've had this set since last Friday
and I'm not seeing any difference.

Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers in /etc/nsswitch.conf.

rob


On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Bret Wortman wrote:

        F17.


    I think you want /etc/ldap.conf then. The easiest way to be sure the
    right file is being used is to add sudoers_debug 1 to the file. This
    will present a lot of extra output so you'll know the file is being
    read.

    rob


        On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:

             Bret Wortman wrote:

                 I had enabled debugging of sudo but am not clear on
        where that
                 debugging
                 is going. It's not stdout, and I'm not seeing anything in
                 /var/log/messages.

                 I'll try switching to SSS and see what that gets me.


             What distro is this? If it is RHEL 6.3 then put the
        configuration
             into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
             incorrect (we are working on getting them fixed).

             rob



                 On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
                 <sgall...@redhat.com <mailto:sgall...@redhat.com>
        <mailto:sgall...@redhat.com <mailto:sgall...@redhat.com>>
                 <mailto:sgall...@redhat.com
        <mailto:sgall...@redhat.com> <mailto:sgall...@redhat.com
        <mailto:sgall...@redhat.com>>>> wrote:

                      On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman
        wrote:

                          I'm pretty certain there's a painfully simple
        solution
                 to this that
                          I'm not seeing, but my current configuration isn't
                 picking up the
                          freeipa sudoer rule that I've set.

                          /etc/nsswitch.conf specifies:
                            sudoers:    files ldap

                          /etc/nslcd.conf contains:

                          binddn
                 uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me


                          bindpw password

                          ssl start_tls
                          tls_cacertfile /etc/ipa/ca.crt
                          tls_checkpeer yes

                          bind_timelimit 5
                          timelimit 15

                          uri ldap://fs1.wedgeofli.me
        <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
                 <http://fs1.wedgeofli.me>
                          <http://fs1.wedgeofli.me>

                          sudoers_base ou=SUDOers,dc=wedgeofli,dc=me


                          The sssd_DOMAIN.log file contains this when I
        try to sudo:


                      <snip>

                      The SSSD logs aren't showing anything wrong
        because they have
                      nothing to do with the execution of the SUDO rules
        in this
                      situation. All the SSSD is doing is verifying the
                 authentication
                      (when sudo prompts you for your password).

                      The problem with the rule is most likely happening
        inside SUDO
                      itself. When you specify 'sudoers: files, ldap' in
                 nsswitch.conf,
                      it's telling SUDO to use its own internal LDAP
        driver to
                 look up the
                      rules. So you need to check sudo logs to see
        what's happening
                      (probably you will need to enable debug logging in
                 /etc/sudo.conf).

                      Recent versions of SUDO (1.8.6 and later) have
        support for
                 setting
                      'sudoers: files, sss' in nsswitch.conf which DOES
        use SSSD
                 (1.9.0
                      and later) for lookups (and caching) of sudo rules.




                 --
                 Bret Wortman
                 The Damascus Group
                 Fairfax, VA
        http://bretwortman.com/
        http://twitter.com/BretWortman




                 --
                 Bret Wortman
                 The Damascus Group
                 Fairfax, VA
        http://bretwortman.com/
        http://twitter.com/BretWortman



                 ___________________________________________________
                 Freeipa-users mailing list
        Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
        <mailto:Freeipa-users@redhat.__com
        <mailto:Freeipa-users@redhat.com>>
        https://www.redhat.com/____mailman/listinfo/freeipa-users
        <https://www.redhat.com/__mailman/listinfo/freeipa-users>


        <https://www.redhat.com/__mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>__>





        --
        Bret Wortman
        The Damascus Group
        Fairfax, VA
        http://bretwortman.com/
        http://twitter.com/BretWortman



        _________________________________________________
        Freeipa-users mailing list
        Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
        https://www.redhat.com/__mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>





--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to