sudo, LDAP, and Kerberos
darek at nyi.net
Fri Nov 7 11:58:47 PST 2008
I'm setting up a centralized Kerberos/LDAP authentication system and
trying to get sudo to use a) Kerberos for the password, and b) LDAP for
a non-local user's group.
Locally on a client system "/etc/sudoers" specifies %sysadmin to be able
to sudo to root. I don't need to move "sudoers" to LDAP just yet.
I've had success on some machines compiling sudo from source with
--enable-kerb5 and --enable-ldap. But on many other systems sudo
segfaults, or returns bus errors, and overall gave me nothing but grief.
So I'm looking for alternate ways of supplying sudo with a user's
group. Is it possible to compile sudo (without kerberos and ldap
support) and configure a pam.d file (/etc/pam.d/sudo) to interact with
kerberos and LDAP? I created a sudo file with
auth sufficient pam_opie.so no_warn
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so warn try_first_pass
and running sudo (compiled with only a ./configure, no other options) as
a non-local user I successfully authenticate, but then sudo has no idea
of the group this user belongs to and says "not in the sudoers file".
Is it possible to use PAM as a go-between for sudo and the remote LDAP
system to provide sudo with the user's group info?
How has everyone else set up a central auth system? Seems to me sudo's
configure script has some flaws and I don't want to rely on it. Maybe
there's a better way, but aside from sudo acting up, the above would be
a fine set up for me.
Any pointers appreciated.
More information about the freebsd-questions