Package: sudo-ldap Version: 1.6.8p12-4 sudoCommand should be written as follows:
sudoCommand: ALL Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai, Huibert Kivits OPS&ITB/WPS/UAS/MSO UNIX Locatiecode NA 00.92 T (020) 563 73 33, F (020) 563 70 02 E Huibert.Kivits at mail.ing.nl "...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions." Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4 -----Oorspronkelijk bericht----- Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Jeremy Hansen Verzonden: dinsdag 21 maart 2006 23:00 Aan: sudo-users at sudo.ws Onderwerp: [sudo-users] is not allowed to execute '/bin/su -' as root I'm attempting to setup sudo control via ldap. I seem to have most pieces worked out but yet I'm unable to get sudo to allow my user to actually run things. Here's the info: My defaults dn: cn=defaults,ou=SUDOers,dc=blah,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: ignore_local_sudoers User entry dn: cn=jhansen,ou=SUDOers,dc=blah,dc=com objectClass: top objectClass: sudoRole cn: jhansen sudoUser: jhansen sudoHost: ALL sudoCommand: (ALL) ALL Here is my output when I just try to do sudo su - as user jhansen [jhansen at z000009 ~]$ sudo su - LDAP Config Summary =================== host z000009.blah.com port 389 ldap_version 3 sudoers_base ou=SUDOers,dc=blah,dc=com binddn (anonymous) bindpw (anonymous) ssl start_tls =================== ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts") ldap_init(z000009.blah.com,389) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_start_tls_s() ok ldap_bind() ok found:cn=defaults,ou=SUDOers,dc=blah,dc=com ldap sudoOption: 'ignore_local_sudoers' ldap search '(|(sudoUser=jhansen)(sudoUser=%jhansen)(sudoUser=%jhansen)(sudoUser=ALL))' found:cn=jhansen,ou=SUDOers,dc=blah,dc=com ldap sudoHost 'ALL' ... MATCH! ldap sudoCommand '(ALL) ALL' ... not ldap search 'sudoUser=+*' user_matches=-1 host_matches=-1 sudo_ldap_check(0)=0x04 Password: Sorry, user jhansen is not allowed to execute '/bin/su -' as root on z000009.blah.com. The session looks as if it finds my user, says there's a match, but it seems to get something wrong on the sudoCommand entry... Not really sure what's going on at this point. My /etc/pam.d/sudo auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth Any helps is appreciated. Thanks -jeremy
