[prev in list] [next in list] [prev in thread] [next in thread]
List: sudo-users
Subject: Fwd: [sudo-users] sudo & LDAP (not working)
From: Aaron Spangler <aaron777 () gmail ! com>
Date: 2005-03-10 2:37:59
Message-ID: 1db25077050309183732cf01b7 () mail ! gmail ! com
[Download RAW message or body]
The RunAs user did not match. By default Sudo allows non-root users
to run stuff as root. If you want root to run as a user other than
root, add 'sudoRunAs: chris' or 'sudoRunAs: ALL' to the role
cn=root,ou=Sudoers,o=TSYS,c=US.
Hope this helps.
-Aaron
On Tue, 08 Mar 2005 17:18:01 -0500, Chris Martino
<Chris.Martino@tsysprepaid.com> wrote:
> Hello,
>
> I'm trying to get sudoers into LDAP and I'm mostly there. Everything has
> been ported across and /etc/ldap.conf setup but testing it with a simple
> 'sudo -u user ls' fails. Here's my output:
>
> server:/home/chris # sudo -u chris ls
> LDAP Config Summary
> ===================
> host 127.0.0.1
> port 389
> ldap_version 3
> sudoers_base ou=Sudoers,o=TSYS,c=US
> binddn (anonymous)
> bindpw (anonymous)
> ssl on
> ===================
> ldap_init(127.0.0.1,389)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_bind() ok
> found:cn=defaults,ou=Sudoers,o=TSYS,c=US
> ldap sudoOption: 'ignore_local_sudoers'
> ldap search
> '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%root)(sudoUser=%wheel)(sudoUser=%wheel) \
> (sudoUser=%priv)(sudoUser=%pkcs11)(sudoUser=%pkcs11)(sudoUser=%perldb2)(sudoUser=ALL))'
> found:cn=root,ou=Sudoers,o=TSYS,c=US
> ldap sudoHost 'ALL' ... MATCH!
> ldap sudoCommand 'ALL' ... MATCH!
> ldap search 'sudoUser=+*'
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(0)=0x04
> Sorry, user root is not allowed to execute '/bin/ls' as chris on server.
>
> Any ideas what's going on here? Here's what my LDAP schema looks like for
> the sudoers OU:
>
> # Sudoers, TSYS, US
> dn: ou=Sudoers,o=TSYS,c=US
> ou: Sudoers
> objectClass: top
> objectClass: organizationalUnit
>
> # defaults, Sudoers, TSYS, US
> dn: cn=defaults,ou=Sudoers,o=TSYS,c=US
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> sudoOption: ignore_local_sudoers
>
> # root, Sudoers, TSYS, US
> dn: cn=root,ou=Sudoers,o=TSYS,c=US
> objectClass: top
> objectClass: sudoRole
> cn: root
> sudoUser: root
> sudoHost: ALL
> sudoCommand: ALL
>
> # %users, Sudoers, TSYS, US
> dn: cn=%users,ou=Sudoers,o=TSYS,c=US
> objectClass: top
> objectClass: sudoRole
> cn: %users
> sudoUser: %users
> sudoHost: ALL
> sudoCommand: ALL
>
> Any help is greatly appreciated!
>
> Thanks,
> Chris
> ____________________________________________________________
> sudo-users mailing list <sudo-users@sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic