pam services under ldap

bluethundr bluethundr at
Mon Nov 8 21:16:35 UTC 2010

Hello List

 I am attempting to setup various pam modules to consult our new LDAP
services in order to do what it needs to do. My LDAP server is FreeBSD
but the clients are CentOS...

 I have setup my /etc/pam.d sudo file on the client (for example) this
way in the attempt to accomplish this via LDAP:

 [root at VIRCENT03:~]#cat /etc/pam.d/sudo
auth       include	system-auth
auth       required
account    include	system-auth
account    required
password   include	system-auth
password   required
session    optional revoke
session    required
session    required

but even tho the user is part of the %wheel group under LDAP it is
unable to sudo to any other account (including root). If I try to sudo
this is what happens:

[bluethundr at VIRCENT03:~]#sudo bash
[sudo] password for bluethundr:
bluethundr is not in the sudoers file.  This incident will be reported.

It would appear that sudo support for ldap is compiled in:

[root at VIRCENT03:~]#ldd $(which sudo)| grep -i ldap => /usr/lib/ (0x00552000)

This is how I setup my ldap.conf file

[root at VIRCENT03:~]#cat /etc/openldap/ldap.conf
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example, dc=com
#URI	ldap:// ldap://

#DEREF		never
URI ldap://
BASE dc=acadaca,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net

In my openldap logs on the LDAP server there appears to be no activity
when I sudo. however in the secure logs on the client I do..

Nov  8 16:05:34 VIRCENT03 su: pam_unix(su-l:session): session opened
for user root by bluethundr(uid=500)
Nov  8 16:05:37 VIRCENT03 su: pam_unix(su-l:session): session opened
for user bluethundr by bluethundr(uid=0)
Nov  8 16:05:44 VIRCENT03 sudo: bluethundr : user NOT in sudoers ;
TTY=pts/5 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash

I do see other events in secure.log that appear to be pam successes
however. am i interpreting this correctly that at least part of the
system is communicating with pam on the ldap server?


Here's my RSA Public key:
gpg --keyserver --recv-keys 5A4873A9

Share and enjoy!!

More information about the freebsd-questions mailing list