On Monday, 8 November 2010 22:16:51 bluethundr wrote: > Hello List > > > I am attempting to setup various pam modules to consult our new LDAP > services in order to do what it needs to do. My LDAP server is FreeBSD > but the clients are CentOS... > > I have setup my /etc/pam.d sudo
If you have already setup /etc/pam.d/system-auth for LDAP (e.g. with authconfig), you should not need to make changes to other pam service files. However, it appears your problem isn't authentication: > but even tho the user is part of the %wheel group under LDAP it is > unable to sudo to any other account (including root). If I try to sudo > this is what happens: > > [bluethu...@vircent03:~]#sudo bash > [sudo] password for bluethundr: > bluethundr is not in the sudoers file. This incident will be reported. So authentication works. PAM doesn't do anything further here ... > It would appear that sudo support for ldap is compiled in: > > [r...@vircent03:~]#ldd $(which sudo)| grep -i ldap > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00552000) Well, now we are getting away from your $subject, which was asking about pam. This has *nothing* to do with PAM (applications wanting to authenticate via pam_ldap don't need to be linked to libldap). > This is how I setup my ldap.conf file > > [r...@vircent03:~]#cat /etc/openldap/ldap.conf [...] > sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net sudo+ldap looks for that in /etc/ldap.conf. Please don't mix /etc/ldap.conf and /etc/openldap/ldap.conf. > In my openldap logs on the LDAP server there appears to be no activity > when I sudo. however in the secure logs on the client I do.. [..] > Works there! These logs are irrelevant. More interesting would be the logs on the server- side, to see if *any* searches are done. However, the 'sudo -l' output may be useful. > I do see other events in secure.log that appear to be pam successes > however. am i interpreting this correctly that at least part of the > system is communicating with pam on the ldap server? PAM seems to work, as your password is accepted. Nothing further relates to pam at all. Everything else relates *only* to sudo. Please read your /usr/share/doc/sudo-*/README.LDAP file. For example, the coverage of the 'sudoers_debug' option may be interesting. Regards, Buchan
