That's got me closer now, as I'm at least getting an error message on stdout:
[root@fs1 etc]# more nslcd.conf binddn uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me bindpw password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://fs1.wedgeofli.me sudoers_base ou=SUDOers,dc=wedgeofli,dc=me [root@fs1 etc]# sudo su - sudo: ldap_sasl_bind_s(): Invalid credentials [root@fs1 ~]# So I'm off to figure out where my credentials are wrong. Thanks again, Rob, Stephen & Pavel. Bret On Wed, Oct 31, 2012 at 2:39 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Bret Wortman wrote: > >> [root@fs1 etc]# more /etc/ldap.conf >> sudoers_debug: 1 >> [root@fs1 etc]# ls -l /etc/ldap.conf >> -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf >> >> Where should I see the extra output? I've had this set since last Friday >> and I'm not seeing any difference. >> > > Move the contents of /etc/nslcd.conf to this file and add ldap to sudoers > in /etc/nsswitch.conf. > > rob > > >> On Wed, Oct 31, 2012 at 2:20 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Bret Wortman wrote: >> >> F17. >> >> >> I think you want /etc/ldap.conf then. The easiest way to be sure the >> right file is being used is to add sudoers_debug 1 to the file. This >> will present a lot of extra output so you'll know the file is being >> read. >> >> rob >> >> >> On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden >> <rcrit...@redhat.com <mailto:rcrit...@redhat.com> >> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: >> >> Bret Wortman wrote: >> >> I had enabled debugging of sudo but am not clear on >> where that >> debugging >> is going. It's not stdout, and I'm not seeing anything in >> /var/log/messages. >> >> I'll try switching to SSS and see what that gets me. >> >> >> What distro is this? If it is RHEL 6.3 then put the >> configuration >> into /etc/sudo-ldap.conf instead of /etc/nslcd. The docs are >> incorrect (we are working on getting them fixed). >> >> rob >> >> >> >> On Wed, Oct 31, 2012 at 1:33 PM, Stephen Gallagher >> <sgall...@redhat.com <mailto:sgall...@redhat.com> >> <mailto:sgall...@redhat.com <mailto:sgall...@redhat.com>> >> <mailto:sgall...@redhat.com >> <mailto:sgall...@redhat.com> <mailto:sgall...@redhat.com >> <mailto:sgall...@redhat.com>>>**> wrote: >> >> On Wed 31 Oct 2012 11:53:15 AM EDT, Bret Wortman >> wrote: >> >> I'm pretty certain there's a painfully simple >> solution >> to this that >> I'm not seeing, but my current configuration >> isn't >> picking up the >> freeipa sudoer rule that I've set. >> >> /etc/nsswitch.conf specifies: >> sudoers: files ldap >> >> /etc/nslcd.conf contains: >> >> binddn >> uid=sudo,cn=sysaccounts,cn=___** >> ___etc,dc=wedgeofli,dc=me >> >> >> >> bindpw password >> >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> >> bind_timelimit 5 >> timelimit 15 >> >> uri ldap://fs1.wedgeofli.me >> <http://fs1.wedgeofli.me> <http://fs1.wedgeofli.me> >> <http://fs1.wedgeofli.me> >> <http://fs1.wedgeofli.me> >> >> sudoers_base ou=SUDOers,dc=wedgeofli,dc=me >> >> >> The sssd_DOMAIN.log file contains this when I >> try to sudo: >> >> >> <snip> >> >> The SSSD logs aren't showing anything wrong >> because they have >> nothing to do with the execution of the SUDO rules >> in this >> situation. All the SSSD is doing is verifying the >> authentication >> (when sudo prompts you for your password). >> >> The problem with the rule is most likely happening >> inside SUDO >> itself. When you specify 'sudoers: files, ldap' in >> nsswitch.conf, >> it's telling SUDO to use its own internal LDAP >> driver to >> look up the >> rules. So you need to check sudo logs to see >> what's happening >> (probably you will need to enable debug logging in >> /etc/sudo.conf). >> >> Recent versions of SUDO (1.8.6 and later) have >> support for >> setting >> 'sudoers: files, sss' in nsswitch.conf which DOES >> use SSSD >> (1.9.0 >> and later) for lookups (and caching) of sudo rules. >> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> ______________________________**_____________________ >> >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com> >> > >> <mailto:Freeipa-users@redhat._**_com >> <mailto:Freeipa-users@redhat.**com <Freeipa-users@redhat.com>>> >> >> https://www.redhat.com/____**mailman/listinfo/freeipa-users<https://www.redhat.com/____mailman/listinfo/freeipa-users> >> >> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >> **> >> >> >> >> <https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >> >> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> **>__> >> >> >> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> ______________________________**___________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> <mailto:Freeipa-users@redhat.**com<Freeipa-users@redhat.com> >> > >> >> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >> >> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> **> >> >> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> ______________________________**_________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> >> > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users