[rhelv5-list] LDAP groups + sudo = badness

Tue, 10 Apr 2007 08:32:32 -0700 

We discovered on RHEL4 that sudo didn't quite handle LDAP (or other, I
suppose) groups properly.  In order for sudo to use LDAP groups for
access control, we had to specify group lookups thusly in
nsswitch.conf:

group: ldap files

The other way around ("files ldap"), while the default from
authconfig, did not work with sudo.  (To wit, sudo complained that the
user attempting to sudo was not found in sudoers -- even though
'groups username' clearly showed they were in the correct group.)

That was fine, but RHEL5 throws an extra wrinkle into things.  When
booting up, apparently the "Starting udev" stage does a large number
of group lookups.  Since the network is not up at that point, all of
them have to time out if LDAP is specified first in nsswitch.conf,
which makes booting take several _hours_.  So with RHEL5, my options
are:

group: ldap files
 - sudo works, but a reboot is an all-day affair

group: files ldap
 - rebooting works, but sudo doesn't

I haven't touched the PAM entry for sudo, which is:

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

I have touched the system-auth PAM entry, but only to add
pam_access.so.  My system-auth now reads:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

What can I do to make _both_ sudo and rebooting work?

Thanks!

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to