Not that this will help you but I can say for certain that sudo with
LDAP works great on our RHEL4 system and with group: files ldap
Sounds to me that the best way to solve your booting problem would be to
figure out what in your configuration / environment stops this from
working.
On Tue, 2007-04-10 at 10:32 -0500, Chris St. Pierre wrote:
> We discovered on RHEL4 that sudo didn't quite handle LDAP (or other, I
> suppose) groups properly. In order for sudo to use LDAP groups for
> access control, we had to specify group lookups thusly in
> nsswitch.conf:
>
> group: ldap files
>
> The other way around ("files ldap"), while the default from
> authconfig, did not work with sudo. (To wit, sudo complained that the
> user attempting to sudo was not found in sudoers -- even though
> 'groups username' clearly showed they were in the correct group.)
>
> That was fine, but RHEL5 throws an extra wrinkle into things. When
> booting up, apparently the "Starting udev" stage does a large number
> of group lookups. Since the network is not up at that point, all of
> them have to time out if LDAP is specified first in nsswitch.conf,
> which makes booting take several _hours_. So with RHEL5, my options
> are:
>
> group: ldap files
> - sudo works, but a reboot is an all-day affair
>
> group: files ldap
> - rebooting works, but sudo doesn't
>
> I haven't touched the PAM entry for sudo, which is:
>
> auth include system-auth
> account include system-auth
> password include system-auth
> session optional pam_keyinit.so revoke
> session required pam_limits.so
>
> I have touched the system-auth PAM entry, but only to add
> pam_access.so. My system-auth now reads:
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_access.so
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
> What can I do to make _both_ sudo and rebooting work?
>
> Thanks!
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
>
> _______________________________________________
> rhelv5-list mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/rhelv5-list
--
Aaron Hagopian <[EMAIL PROTECTED]>
Health Resources Alliance
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
