Erling Ringen Elvsrud
2008-Nov-27 10:08 UTC
[Fedora-directory-users] Sudo in directory server
I try to add the schema for sudoers from README.LDAP in
the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work best, but
get this problem when I restart directory server:
[root@testserver schema]# service dirsrv restart
Shutting down dirsrv:
testserver... [ OK ]
Starting dirsrv:
testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME ''sudoUser'' DESC
''User(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR
caseE"
required attribute "objectclass" missing
[ OK ]
[root@testserver schema]# cat 99sudoers.ldif
dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME
''sudoUser'' DESC ''User(s) who may run sudo''
EQUALITY caseExactIA5Match
SUBSTR caseE
xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN
''SUDO'' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME ''sudoHost''
DESC
''Host(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR
caseEx
actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN
''SUDO'' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME ''sudoCommand''
DESC
''Command(s) to be executed by sudo'' EQUALITY caseExactIA5Match
S
YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME ''sudoRunAs''
DESC
''User(s) impersonated by sudo'' EQUALITY caseExactIA5Match
SYNTAX 1
.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME ''sudoOption''
DESC
''Options(s) followed by sudo'' EQUALITY caseExactIA5Match
SYNTAX 1
.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME ''sudoRole'' SUP
top
STRUCTURAL DESC ''Sudoer Entries'' MUST ( cn ) MAY ( sudoUser $
sud
oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN
''SUDO'' )
Any help to get the schema for sudo correctly added is appreciated.
Thanks,
Erling
Hi All, Can anybody have a good experience with SAMBA PDC with Fedora Directory Server as the backend LDAP server? I have a working SAMBA PDC with OpenLDAP as the backend directory server for user,group and computer management. Is it possible to use Fedora Directory server as the backend LDAP server for Samba PDC? I want all users,groups and computers to be available in the Directory. Thanks in Advance. Premod
Jonathan Barber
2008-Nov-27 11:01 UTC
Re: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv
On Thu, Nov 27, 2008 at 03:16:07AM -0700, Premod Dev wrote:> Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora > Directory Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory > server for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP > server for Samba PDC?Yes.> I want all users,groups and computers to be available in the > Directory.The Samba configuration for LDAP is identical between OpenLDAP and FDS. The only problem is if you allow password changes via Samba via the LDAP password change exop, in which case you''ll have to investigate the FreeIPA password-change exop plugin for FDS.> Thanks in Advance. > > > Premod> -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389
On Thu, Nov 27, 2008 at 2:16 AM, Premod Dev <premodd@decho.com> wrote:> Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora Directory > Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory server > for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP server > for Samba PDC? > > I want all users,groups and computers to be available in the Directory. >While I don''t currently use Samba as a PDC, I am using it with Fedora Directory Services and don''t see why it can''t also be used for computer accounts as well as users and groups. -- Regards, Richard Sharpe
> Is it possible to use Fedora Directory server as the backend LDAP > server for Samba PDC?Yes.> I want all users,groups and computers to be available in the > Directory.That is what a friend of mine recently set up. And it has been working satisactorily so far for 60+ users. If you want to know more, it might be a good idea to contact me via direct email. Regards, Wolf
Edward Capriolo
2008-Nov-27 14:32 UTC
Re: [Fedora-directory-users] Sudo in directory server
I think sudo provides a sample open ldap schema. The syntax is slightly different /etc/dirsrv/slapd-ldapslave1/schema/71sudo.ldif dn: cn=schema attributetypes :( 1.3.6.1.4.1.15953.9.1.1 NAME ''sudoUser'' DESC ''User(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.2 NAME ''sudoHost'' DESC ''Host(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.3 NAME ''sudoCommand'' DESC ''Command(s) to be executed by sudo'' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.4 NAME ''sudoRunAs'' DESC ''User(s) impersonated by sudo'' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.5 NAME ''sudoOption'' DESC ''Options(s) followed by sudo'' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectclasses :( 1.3.6.1.4.1.15953.9.2.1 NAME ''sudoRole'' SUP top STRUCTURAL DESC ''Sudoer Entries'' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) It would be interesting to find a tool to convert schema from open LDAP to FDS format since this comes up often.
Premod Dev wrote:> Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora Directory > Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory server > for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP server > for Samba PDC? > > I want all users,groups and computers to be available in the Directory.Ofcourse its possible. You may want to look at this link for further guidance. http://directory.fedoraproject.org/wiki/Howto:Samba -- http://sigidwu.blogspot.com Save a tree. Don''t print any documents unless it''s necessary.
Hi Sigid, Please see the following comment from the wiki, NOTE: These instructions only apply to basic user and group management. If you use or plan to use Samba for computer management, you will be better off using the migration scripts from IDEALX - http://www.idealx.org/prj/samba/index.en.html I want to use SAMBA for computer management also. Thanks, #!Premod ----- Original Message ----- From: "sigid@JINLab" <sigidwu@gmail.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Sent: Friday, November 28, 2008 6:10:19 AM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi Subject: Re: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv Premod Dev wrote:> Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora Directory > Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory server > for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP server > for Samba PDC? > > I want all users,groups and computers to be available in the Directory.Ofcourse its possible. You may want to look at this link for further guidance. http://directory.fedoraproject.org/wiki/Howto:Samba -- http://sigidwu.blogspot.com Save a tree. Don''t print any documents unless it''s necessary. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Erling Ringen Elvsrud
2008-Nov-28 07:51 UTC
Re: [Fedora-directory-users] Sudo in directory server
On 11/27/08, Edward Capriolo <edlinuxguru@gmail.com> wrote:> I think sudo provides a sample open ldap schema. The syntax is > slightly differentThanks for your reply, I try to use your schema, but still get errors: [root@testserver schema]# service dirsrv restart Shutting down dirsrv: testserver... [ OK ] Starting dirsrv: testserver...[28/Nov/2008:08:44:51 +0100] - Entry "cn=schema attributetypes :( 1.3.6.1.4.1.15953.9.1.1 NAME ''sudoUser'' DESC" required attribute "objectclass" missing [ OK ] [root@testserver schema]# cat 99sudoers.ldif dn: cn=schema attributetypes :( 1.3.6.1.4.1.15953.9.1.1 NAME ''sudoUser'' DESC ''User(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.2 NAME ''sudoHost'' DESC ''Host(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.3 NAME ''sudoCommand'' DESC ''Command(s) to be executed by sudo'' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.4 NAME ''sudoRunAs'' DESC ''User(s) impersonated by sudo'' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.5 NAME ''sudoOption'' DESC ''Options(s) followed by sudo'' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectclasses :( 1.3.6.1.4.1.15953.9.2.1 NAME ''sudoRole'' SUP top STRUCTURAL DESC ''Sudoer Entries'' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) Could you please send me a copy of the schema directly? Just to make sure all linebreaks and formatting is correct. How did you get the schema? The README.LDAP in sudo provides two schema, one for OpenLDAP and one for iPlanet and similar directory-servers (like Fedora DS if I have understood correctly). Best regards, Erling
Edward Capriolo
2008-Nov-28 17:18 UTC
Re: [Fedora-directory-users] Sudo in directory server
Last time I installed sudo the iplanet schema was not part of the package. I-planet should be close to FDS. The one I sent I did myself 6 months back. If you think the problem is a format issue, I checked my system. Every entry is on its own line. It is working for me with this version. fedora-ds-base-1.1.0-3.fc6 fedora-ds-1.1.0-3.fc6
Rich Megginson
2008-Dec-01 15:55 UTC
Re: [Fedora-directory-users] Sudo in directory server
Erling Ringen Elvsrud wrote:> I try to add the schema for sudoers from README.LDAP in > the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work best, but > get this problem when I restart directory server: > > [root@testserver schema]# service dirsrv restart > Shutting down dirsrv: > testserver... [ OK ] > Starting dirsrv: > testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME ''sudoUser'' DESC > ''User(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseE" > required attribute "objectclass" missing >The sudo schema is now in CVS HEAD and will be part of the next release of Fedora DS: http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/schema/60sudo.ldif?revision=1.1&root=dirsec&view=markup You can go ahead and download and use this file with any version of Fedora DS.> [ OK ] > [root@testserver schema]# cat 99sudoers.ldif > dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME > ''sudoUser'' DESC ''User(s) who may run sudo'' EQUALITY caseExactIA5Match > SUBSTR caseE > > xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME ''sudoHost'' DESC > ''Host(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseEx > > actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME ''sudoCommand'' DESC > ''Command(s) to be executed by sudo'' EQUALITY caseExactIA5Match S > > YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME ''sudoRunAs'' DESC > ''User(s) impersonated by sudo'' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME ''sudoOption'' DESC > ''Options(s) followed by sudo'' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME ''sudoRole'' SUP top > STRUCTURAL DESC ''Sudoer Entries'' MUST ( cn ) MAY ( sudoUser $ sud > > oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN ''SUDO'' ) > > Any help to get the schema for sudo correctly added is appreciated. > > Thanks, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hi, I have wiki''d my sudo setup http://wiki.unixcraft.com/display/MainPage/Sudo+in+Centos+Directory+Server 2008/12/1 Rich Megginson <rmeggins@redhat.com>> Erling Ringen Elvsrud wrote: > >> I try to add the schema for sudoers from README.LDAP in >> the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work >> best, but >> get this problem when I restart directory server: >> >> [root@testserver schema]# service dirsrv restart >> Shutting down dirsrv: >> testserver... [ OK ] >> Starting dirsrv: >> testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME ''sudoUser'' DESC >> ''User(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseE" >> required attribute "objectclass" missing >> >> > > The sudo schema is now in CVS HEAD and will be part of the next release of > Fedora DS: > > http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/schema/60sudo.ldif?revision=1.1&root=dirsec&view=markup > > You can go ahead and download and use this file with any version of Fedora > DS. > >> [ OK ] >> [root@testserver schema]# cat 99sudoers.ldif >> dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME >> ''sudoUser'' DESC ''User(s) who may run sudo'' EQUALITY caseExactIA5Match >> SUBSTR caseE >> >> xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN >> ''SUDO'' ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME ''sudoHost'' DESC >> ''Host(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseEx >> >> actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' >> ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME ''sudoCommand'' DESC >> ''Command(s) to be executed by sudo'' EQUALITY caseExactIA5Match S >> >> YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME ''sudoRunAs'' DESC >> ''User(s) impersonated by sudo'' EQUALITY caseExactIA5Match SYNTAX 1 >> >> .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME ''sudoOption'' DESC >> ''Options(s) followed by sudo'' EQUALITY caseExactIA5Match SYNTAX 1 >> >> .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) >> objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME ''sudoRole'' SUP top >> STRUCTURAL DESC ''Sudoer Entries'' MUST ( cn ) MAY ( sudoUser $ sud >> >> oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN >> ''SUDO'' ) >> >> Any help to get the schema for sudo correctly added is appreciated. >> >> Thanks, >> >> Erling >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Try sending the schema through this first http://directory.fedoraproject.org/download/ol-schema-migrate.pl Brian On Thu, 2008-11-27 at 03:08 -0700, Erling Ringen Elvsrud wrote:> I try to add the schema for sudoers from README.LDAP in > the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work best, but > get this problem when I restart directory server: > > [root@testserver schema]# service dirsrv restart > Shutting down dirsrv: > testserver... [ OK ] > Starting dirsrv: > testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME ''sudoUser'' DESC > ''User(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseE" > required attribute "objectclass" missing > > [ OK ] > [root@testserver schema]# cat 99sudoers.ldif > dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME > ''sudoUser'' DESC ''User(s) who may run sudo'' EQUALITY caseExactIA5Match > SUBSTR caseE > > xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME ''sudoHost'' DESC > ''Host(s) who may run sudo'' EQUALITY caseExactIA5Match SUBSTR caseEx > > actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME ''sudoCommand'' DESC > ''Command(s) to be executed by sudo'' EQUALITY caseExactIA5Match S > > YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME ''sudoRunAs'' DESC > ''User(s) impersonated by sudo'' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME ''sudoOption'' DESC > ''Options(s) followed by sudo'' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ''SUDO'' ) > objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME ''sudoRole'' SUP top > STRUCTURAL DESC ''Sudoer Entries'' MUST ( cn ) MAY ( sudoUser $ sud > > oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN ''SUDO'' ) > > Any help to get the schema for sudo correctly added is appreciated. > > Thanks, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users