[BSD7] Openldap with SUDOers
Philippe Audéoud
jadawin at FreeBSD.org
Tue Jun 3 13:33:09 UTC 2008
On Tue, 03 Jun 2008, karim.bourenane at orange-ftgroup.com wrote:
> Hi Team, and All
>
Hello,
> I want to create a sudoers profile in my openldap, but i dont undestand
> how to do.
> Actually in my Ldap i have :
> In slapd.conf
> # Sudoers definition base
> sudoers_base ou=SUDOers,dc=domain,dc=com
> sudoers_debug 0
>
> Distinguished Name: ou=SUDOers,dc=domain,dc=com
>
> Distinguished Name: cn=defaults,ou=SUDOers,dc=domain,dc=com
> With sudoOption:
> ignore_dot
> !mail_no_user
> log_host
> !syslog
> timestamp_timeout=10
>
> Distinguished Name: cn=role1,ou=SUDOers,dc=domain,dc=com
> ObjetClass : Top and SudoRole
> sudoCommand : All
> sudoHost : ALL
> sudoOption: !authenticate
> sudoUser : login1,login2
>
This part seems to be ok.
> When i connect and try command "sudo su"
> %sudo su
> Password:
> login1 is not in the sudoers file. This incident will be
> reported.
>
To be sure that sudo don't use /etc/sudoers, please add
ignore_local_sudoers in sudoOptions for cn=defaults
Then, strings < /usr/bin/sudo | grep ldap | grep /
/etc/ldap/ldap.conf
(sorry, i'm using a debian for this time :P)
in /etc/ldap/ldap.conf
BASE dc=XXXXX, dc=XX
URI ldap://ip.ip.ip.ip
sudoers_base ou=SUDOers,dc=XXXX,dc=XX
binddn cn=sudoers,dc=XXXX,dc=XX
bindpw secret
sudoers_debug 2
BE SURE TO HAVE TABULATIONS AND NO SPACE! (I loose 3 hours because of a
space!)
PS: If you prefer to speak french, don't hesitate to ask me via private
mail :)
--
Philippe Audeoud
FreeBSD Committer | jadawin at FreeBSD.org
More information about the freebsd-current
mailing list