On 10/31/2012 07:20 PM, Rob Crittenden wrote:
Bret Wortman wrote:
F17.


I think you want /etc/ldap.conf then. The easiest way to be sure the
right file is being used is to add sudoers_debug 1 to the file. This
will present a lot of extra output so you'll know the file is being read.

rob

Hi,
I think the easiest way to determine the config file is:
# sudo -V | grep ldap.conf
ldap.conf path: /etc/ldap.conf

(sudo must be executed under root account)



On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Bret Wortman wrote:

        I had enabled debugging of sudo but am not clear on where that
        debugging
        is going. It's not stdout, and I'm not seeing anything in
        /var/log/messages.

        I'll try switching to SSS and see what that gets me.


    What distro is this? If it is RHEL 6.3 then put the configuration
    into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are
    incorrect (we are working on getting them fixed).

    rob



        On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher
        <sgall...@redhat.com <mailto:sgall...@redhat.com>
        <mailto:sgall...@redhat.com <mailto:sgall...@redhat.com>>> wrote:

             On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman wrote:

                 I'm pretty certain there's a painfully simple solution
        to this that
                 I'm not seeing, but my current configuration isn't
        picking up the
                 freeipa sudoer rule that I've set.

                 /etc/nsswitch.conf specifies:
                   sudoers:    files ldap

                 /etc/nslcd.conf contains:

                 binddn
        uid=sudo,cn=sysaccounts,cn=____etc,dc=wedgeofli,dc=me

                 bindpw password

                 ssl start_tls
                 tls_cacertfile /etc/ipa/ca.crt
                 tls_checkpeer yes

                 bind_timelimit 5
                 timelimit 15

                 uri ldap://fs1.wedgeofli.me <http://fs1.wedgeofli.me>
        <http://fs1.wedgeofli.me>
                 <http://fs1.wedgeofli.me>

                 sudoers_base ou=SUDOers,dc=wedgeofli,dc=me


                 The sssd_DOMAIN.log file contains this when I try to
sudo:


             <snip>

             The SSSD logs aren't showing anything wrong because they
have
             nothing to do with the execution of the SUDO rules in this
             situation. All the SSSD is doing is verifying the
        authentication
             (when sudo prompts you for your password).

             The problem with the rule is most likely happening inside
SUDO
             itself. When you specify 'sudoers: files, ldap' in
        nsswitch.conf,
             it's telling SUDO to use its own internal LDAP driver to
        look up the
             rules. So you need to check sudo logs to see what's
happening
             (probably you will need to enable debug logging in
        /etc/sudo.conf).

             Recent versions of SUDO (1.8.6 and later) have support for
        setting
             'sudoers: files, sss' in nsswitch.conf which DOES use SSSD
        (1.9.0
             and later) for lookups (and caching) of sudo rules.




        --
        Bret Wortman
        The Damascus Group
        Fairfax, VA
        http://bretwortman.com/
        http://twitter.com/BretWortman




        --
        Bret Wortman
        The Damascus Group
        Fairfax, VA
        http://bretwortman.com/
        http://twitter.com/BretWortman



        _________________________________________________
        Freeipa-users mailing list
        Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
        https://www.redhat.com/__mailman/listinfo/freeipa-users
        <https://www.redhat.com/mailman/listinfo/freeipa-users>





--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to