Hi buddy, are u able to check wether ldap support is compiled into your installed sudo? This is just a hint, I don't know how to do that. :)
Bye. On Sat, Mar 13, 2010 at 11:28, Zengming Zhang <[email protected]> wrote: > Hi everyone: > > Please help me, I can't get root level access rights(sudo) from > ldap.When I try to use sudo command, there is an error report: > "user is not in the sudoers file. This incident will be reported." > > I am going to build a cluster systems, there is a file server and > some > client computers. The operating system of file server is Redhat > Enterprise Linux v5.3, and the client's is Ubuntu 8.10 desktop edition. > When users login on a client, the client will get user > authorization info from server and mount its HOME folder automatically. > > I installed openldap server(openldap-2.3.43-3.el5) on file-server, > and > use libnss-ldapd, libpam-ldap, auth-client-config > ldap-auth-client and ldap-auth-config packages to change client's user > authorization methods. > > But the problem is I do can get user authorization info from the > ldap > server, but I can't get root level access rights from ldap server as > followed the steps here: > http://www.gratisoft.us/sudo/man/sudoers.ldap.html. > > ################## > My server configurations are: > > [1]/etc/openldap/slapd.conf: > ------------------------------ > The sudoers.schema has been included and indexed: > include /etc/openldap/schema/sudoers.schema > index sudoUser eq > > [2]/etc/ldap.conf: > ------------------------------ > sudoers_base has been set: > sudoers_base ou=SUDOers,dc=file-server > > [3]Some contents in ldap database: > ------------------------------ > # SUDOers, file-server > dn: ou=SUDOers,dc=file-server > ou: SUDOers > objectClass: top > objectClass: organizationalUnit > > # %sysadmins, SUDOers, file-server > dn: cn=%sysadmins,ou=SUDOers,dc=file-server > objectClass: top > objectClass: sudoRole > cn: %sysadmins > sudoUser: %sysadmins > sudoHost: ALL > sudoCommand: ALL > > (sysadmins is a group name that I created in my ldap server, what I want > is user in this group can get root level access rights.) > ################## > > ################## > My client configurations are: > > [1]sudo-ldap: > ------------------------------ > A "sudo-ldap" package of version 1.6.9p17-1ubuntu2.2 has been > installed. > > [2]/etc/ldap.conf: > ------------------------------ > sudoers_base has been set: > sudoers_base ou=SUDOers,dc=file-server > > [3]/etc/nsswitch.conf > ------------------------------ > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > # pre_auth-client-config # passwd: compat > passwd: files ldap > # pre_auth-client-config # group: compat > group: files ldap > # pre_auth-client-config # shadow: compat > shadow: files ldap > > # added by zengming, for sudo issue. > sudoers: ldap files > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > # pre_auth-client-config # netgroup: nis > netgroup: nis > > [4]I do can see that the user is in the sysadmins group as authorized > from ldap server: > jin...@zzm-desktop:~$ id > uid=10001(jingna) gid=10000(bioinf)groups=10000(bioinf),10004(sysadmins) > ################## > > So, any ideas of you? Please let me know, thanks very much in advance! > > Best wishes, > Zengming > -- > Zengming Zhang <[email protected]> > > -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
