Bret Wortman wrote:
[root@fs1 etc]# more /etc/ldap.conf
sudoers_debug: 1
[root@fs1 etc]# ls -l /etc/ldap.conf
-rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf
Where should I see the extra output? I've had this set since last Friday
and I'm not seeing any difference.
Move the contents of /etc/nslcd.conf to this file and add ldap to
sudoers in /etc/nsswitch.conf.
rob
On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
Bret Wortman wrote:
F17.
I think you want /etc/ldap.conf then. The easiest way to be sure the
right file is being used is to add sudoers_debug 1 to the file. This
will present a lot of extra output so you'll know the file is being
read.
rob
On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Bret Wortman wrote:
I had enabled debugging of sudo but am not clear on
where that
debugging
is going. It's not stdout, and I'm not seeing anything in
/var/log/messages.
I'll try switching to SSS and see what that gets me.
What distro is this? If it is RHEL 6.3 then put the
configuration
into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
incorrect (we are working on getting them fixed).
rob
On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>>> wrote:
On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman
wrote:
I'm pretty certain there's a painfully simple
solution
to this that
I'm not seeing, but my current configuration isn't
picking up the
freeipa sudoer rule that I've set.
/etc/nsswitch.conf specifies:
sudoers: files ldap
/etc/nslcd.conf contains:
binddn
uid=sudo,cn=sysaccounts,cn=______etc,dc=wedgeofli,dc=me
bindpw password
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://fs1.wedgeofli.me
<http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me>
<http://fs1.wedgeofli.me>
<http://fs1.wedgeofli.me>
sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
The sssd_DOMAIN.log file contains this when I
try to sudo:
<snip>
The SSSD logs aren't showing anything wrong
because they have
nothing to do with the execution of the SUDO rules
in this
situation. All the SSSD is doing is verifying the
authentication
(when sudo prompts you for your password).
The problem with the rule is most likely happening
inside SUDO
itself. When you specify 'sudoers: files, ldap' in
nsswitch.conf,
it's telling SUDO to use its own internal LDAP
driver to
look up the
rules. So you need to check sudo logs to see
what's happening
(probably you will need to enable debug logging in
/etc/sudo.conf).
Recent versions of SUDO (1.8.6 and later) have
support for
setting
'sudoers: files, sss' in nsswitch.conf which DOES
use SSSD
(1.9.0
and later) for lookups (and caching) of sudo rules.
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
___________________________________________________
Freeipa-users mailing list
[email protected] <mailto:[email protected]>
<mailto:Freeipa-users@redhat.__com
<mailto:[email protected]>>
https://www.redhat.com/____mailman/listinfo/freeipa-users
<https://www.redhat.com/__mailman/listinfo/freeipa-users>
<https://www.redhat.com/__mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>__>
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
_________________________________________________
Freeipa-users mailing list
[email protected] <mailto:[email protected]>
https://www.redhat.com/__mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
