[prev in list] [next in list] [prev in thread] [next in thread]
List: sudo-users
Subject: Re: [sudo-users] Ldap Groups
From: David Blackburn <hxor666 () gmail ! com>
Date: 2005-05-04 9:59:06
Message-ID: 1cd9afd405050402597a441cd7 () mail ! gmail ! com
[Download RAW message or body]
Thanks for all your help, I have gone over your instructions but am
still having problems, I created a posixGroup, netgroups and sudorole
with just a group of users.
Unless the user is in the sudoers schema I dont get any joy, Huibert
your info was very helpfully but at the end, its a little unclear how
sudo finds the actual user to verify on.
i.e. does the nsswtich have to be configured to retreive the user from
the group, or how do I put a link in from the sudoRole statement, to
point to the group that sudo will then pickup on.
All the methods I have tried so far never get a user match unless the
user is in the sudoRole statement.
found:cn=defaults,ou=sudoers,dc=blah,dc=net
ldap search '(|(sudoUser=blackburnd)(sudoUser=%blackburnd)(sudoUser=%blackburnd)(sudoUser=ALL))'
ldap search 'sudoUser=+*'
user_matches=0
host_matches=0
On 4/28/05, Huibert.Kivits@mail.ing.nl <Huibert.Kivits@mail.ing.nl> wrote:
> Yes, indeed.
>
> Dave created an entry for a group in LDAP, under which he added subentries for \
> users. However, users should not be added as a subentry to the group. You should do \
> something like the following:
> - select the group you want to add a user to.
> - add a new attribute to this group, i.e. the attribute "memberUid"
> - you now have to enter a value for this attribute. Enter the name of the username. \
> The common name "johndoe" is sufficient. There is no need to enter the \
> distinguished name (dn=johndoe,ou=... Etcetera).
> - you can add multiple users to a group by adding the memberUid-attribute multiple \
> times.
> - This way, you can authorize a group for the sudo, instead of individual users.
>
> Managing SUDO-authorizations from within LDAP does not require that users exist in \
> LDAP. This applies both to the user under which the sudo runs (the value of the \
> sudoRunas-attribute) and to the userid's that use SUDO. It is perfectly possible \
> for a local user to use SUDO-authorizations that are managed via LDAP.
> Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med \
> vänliga hälsningar / nuosirdziausi linkejimai,
> Huibert Kivits
>
> -----Oorspronkelijk bericht-----
> Van: sudo-users-bounces@courtesan.com [mailto:sudo-users-bounces@courtesan.com] \
> Namens Aaron Spangler
> Verzonden: woensdag 27 april 2005 18:10
> Aan: David Blackburn
> CC: sudo-users@sudo.ws
> Onderwerp: Re: [sudo-users] Ldap Groups
>
>
> The sudouser has syntax similar to the RFC2307 attributes. It does not use the \
> full LDAP Distringuished Name.
> Use the short username in the sudoUser attribute:
>
> sudoUser: unixuser1
> -or-
> sudoUser: %unixgroup1
> -or-
> sudoUser: +netgroup1
>
> The unixuser1, unixgroup1, or netgroup1 should be available from the servers \
> perspective and do not necessarily need to exist in LDAP. If they do exist in \
> LDAP, then they should follow RFC2307 syntax.
> On 4/25/05, David Blackburn <hxor666@gmail.com> wrote:
> > Hi
> >
> > I have Ldap sudo auth working, but I need to setup the sudoUser's into
> > groups, I have used the Posix users schema and point sudoUser to the
> > below.
> >
> > sudoUser points to
> > cn=memberUid,ou=sudoUserGroups,ou=sudoers,dc=blah,dc=net
> >
> > Where memberUid is the id of the users I want to use. If I remove the
> > above and put my user ID in this works.
> >
> > Please note I am quite new with ldap and my be missing something quite
> > basic.
> >
> > Thanks
> > Dave
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users@sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users@sudo.ws>
> For list information, options, or to unsubscribe, visit: \
> http://www.sudo.ws/mailman/listinfo/sudo-users
> -----------------------------------------------------------------
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
>
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -----------------------------------------------------------------
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic