On 10/31/2012 07:20 PM, Rob Crittenden wrote:
Bret Wortman wrote:
F17.
I think you want /etc/ldap.conf then. The easiest way to be sure the
right file is being used is to add sudoers_debug 1 to the file. This
will present a lot of extra output so you'll know the file is being read.
rob
Hi,
I think the easiest way to determine the config file is:
# sudo -V | grep ldap.conf
ldap.conf path: /etc/ldap.conf
(sudo must be executed under root account)
On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Bret Wortman wrote:
I had enabled debugging of sudo but am not clear on where that
debugging
is going. It's not stdout, and I'm not seeing anything in
/var/log/messages.
I'll try switching to SSS and see what that gets me.
What distro is this? If it is RHEL 6.3 then put the configuration
into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
incorrect (we are working on getting them fixed).
rob
On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
<sgall...@redhat.com <mailto:sgall...@redhat.com>
<mailto:sgall...@redhat.com <mailto:sgall...@redhat.com>>> wrote:
On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:
I'm pretty certain there's a painfully simple solution
to this that
I'm not seeing, but my current configuration isn't
picking up the
freeipa sudoer rule that I've set.
/etc/nsswitch.conf specifies:
sudoers: files ldap
/etc/nslcd.conf contains:
binddn
uid=sudo,cn=sysaccounts,cn=____etc,dc=wedgeofli,dc=me
bindpw password
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
<http://fs1.wedgeofli.me>
<http://fs1.wedgeofli.me>
sudoers_base ou=SUDOers,dc=wedgeofli,dc=me
The sssd_DOMAIN.log file contains this when I try to
sudo:
<snip>
The SSSD logs aren't showing anything wrong because they
have
nothing to do with the execution of the SUDO rules in this
situation. All the SSSD is doing is verifying the
authentication
(when sudo prompts you for your password).
The problem with the rule is most likely happening inside
SUDO
itself. When you specify 'sudoers: files, ldap' in
nsswitch.conf,
it's telling SUDO to use its own internal LDAP driver to
look up the
rules. So you need to check sudo logs to see what's
happening
(probably you will need to enable debug logging in
/etc/sudo.conf).
Recent versions of SUDO (1.8.6 and later) have support for
setting
'sudoers: files, sss' in nsswitch.conf which DOES use SSSD
(1.9.0
and later) for lookups (and caching) of sudo rules.
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
_________________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/__mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users