[Freeipa-users] issues with sudo on RHEL5.8

Tue, 17 Feb 2015 00:57:29 -0800 

Hi,

With a RHEL7 IDM installation, I try to make sudo working.
On RHEL6 no problem (via sssd)
On RHEL5.8 I don't manage to make it working (credential are good, I manage to 
request the schema, see below)
Where can I found more logs?
What did I forget?


[root@srv-rhel58-01 ~]# cat /etc/nss_ldap.conf
bindn uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com
binpw redhat5Sudo
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/ipa.crt
#tls_cacert /etc/openldap/cacerts/ipa.crt
tls_checkpeer yes
#uri ldap://srv-idm7-01.company.com, ldap://srv-idm7-02.company.com
uri ldap://srv-idm7-01.company.com
sudoers_base ou=SUDOers,dc=company,dc=com
sudoers_debug: 2





[root@srv-rhel58-01 ~]# ldapsearch -x -ZZ -D 
"uid=sudo,cn=sysaccounts,cn=etc,dc=company,dc=com" -b 
"ou=SUDOers,dc=company,dc=com" -h srv-idm7-01.company.com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,dc=company,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sudoers, company.com
dn: ou=sudoers,dc=company,dc=com
objectClass: extensibleObject
ou: sudoers

# sudo4admin, sudoers, company.com
dn: cn=sudo4admin,ou=sudoers,dc=company,dc=com
objectClass: sudoRole
sudoUser: nzin
sudoHost: ALL
sudoCommand: ALL
cn: sudo4admin

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2





In /var/log/secure:
Feb 17 04:35:59 srv-rhel58-01 sudo: pam_unix(sudo-i:auth): authentication 
failure; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=nzin
Feb 17 04:35:59 srv-rhel58-01 sudo: pam_sss(sudo-i:auth): authentication 
success; logname=nzin uid=0 euid=0 tty=/dev/pts/3 ruser= rhost= user=nzin
Feb 17 04:35:59 srv-rhel58-01 sudo:     nzin : user NOT in sudoers ; TTY=pts/3 
; PWD=/home/nzin ; USER=root ; COMMAND=/bin/bash




Regards,



Nicolas Zin
[email protected]
Ligne directe: 514-276-5468 poste 135

Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to