Hello all, I have successfully setup FDS on Centos 5.2, and manage to get users signing on without any issues. However if I edit the sudoers file to allow a group on ldap use sudo, the sudo command does not see the members of the group or I think the group itself? I have no idea why this is: if I run the command ''id'' as the given user you can clear see the group memberships, however if I do: getent group linuxops I see: linuxops:*:6000: with no members??? however SSHD AllowGroups works? I have configured sshd to only allow members of the linxops group to login and this works fine? so my question is why is sudo behaving differently?
Kashif, Make sure you have defined the group in ldap and added the posix attributes and object class to the group. At a bare minimum, you''ll need the top, groupofuniquenames and posixgroup objecclassess. Aaron From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Kashif Ali Sent: Tuesday, September 09, 2008 4:39 PM To: Fedora-directory-users@redhat.com Subject: [Fedora-directory-users] Sudo and Ldap Hello all, I have successfully setup FDS on Centos 5.2, and manage to get users signing on without any issues. However if I edit the sudoers file to allow a group on ldap use sudo, the sudo command does not see the members of the group or I think the group itself? I have no idea why this is: if I run the command ''id'' as the given user you can clear see the group memberships, however if I do: getent group linuxops I see: linuxops:*:6000: with no members??? however SSHD AllowGroups works? I have configured sshd to only allow members of the linxops group to login and this works fine? so my question is why is sudo behaving differently?
when you say add sudo base? are you talking about ldif file? Is there no way to continue to use the original ldif file? 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>> Redhat sudo doesn''t support ldap, recompile it with ldap support and add > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > Cheers > > Malcolm > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > Hello all, > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > signing on without any issues. However if I edit the sudoers file to > > allow a group on ldap use sudo, the sudo command does not see the > > members of the group or I think the group itself? > > > > I have no idea why this is: > > > > if I run the command ''id'' as the given user you can clear see the > > group memberships, however if I do: getent group linuxops I see: > > > > linuxops:*:6000: > > > > with no members??? however SSHD AllowGroups works? I have configured > > sshd to only allow members of the linxops group to login and this > > works fine? so my question is why is sudo behaving differently? > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
i believe in centos 5.x and redhat they have ldap suppor built in: http://kbase.redhat.com/faq/FAQ_80_12975.shtm I am not sure how to include ldif file in the directory server, and also once its included how to manage the sudoers? let me give you some more background on the environmnt: we have the following environments: Production Staging Test Load Testing Development Each of the environments have various number of servers ranging from 30 and goign upto 150+. we have three main categories of users Linuxops = Linux Sys admins SuperUsers = Developers who have sudo rights (ALL) on dev/load test environments, but only for less, cat, more, command for Test/Staging/Production environments (this is mainly for log and config file viewing). Dev = Developers who have full sudo rights on development and only access development environment I am restricting access to each environemnt via SSHD_CONFIG variable allow groups. I have the following groups linuxops prodlogs staginglog testlogs ltlogs dev What I would need is to someone configure ldap with sudo, so that if you were in the correct groups you can login to which ever environment and have the correct privilages. The problem I Will have is with superusers. They would be members of the dev group (so have all rights on dev env) but then I would be added to prodlogs etc... so they have restricted sudo on prod. However since there would only be one sudo file in ldap, sshd would let them logon to production server via prodlogs group, and sudo would find the dev group and give them full rights!!!! I would appreciate any advice in configuring this setup, currently I have written a wiki to cover the installation of Centos/fedora DS and configure it for central authentication with Shared home directories, this would be the final icing on the cake if I could get it working: Please have a look at the following link to get the idea of what I have done to get ldap up and running: http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server What I really need help is would sudo under ldap in the above scenario. I hope I have given enough information, if you require more information please just say I will provide ASAP. Regards Kashif 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>> This is how I''ve always done it: > > I usually just pull the src.rpm and add ldap in the .spec file, > recompile then I can add it to standard build image / kickstart > > Then add something like: > sudoers_base ou=SUDOers,dc=example,dc=com > > to /etc/ldap.conf and that should be it > > > Cheers, > > Malcolm > > On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote: > > when you say add sudo base? are you talking about ldif file? > > > > Is there no way to continue to use the original ldif file? > > > > > > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com> > > Redhat sudo doesn''t support ldap, recompile it with ldap > > support and add > > the sudoers base to /etc/ldap.conf and it should work then, > > annoying! > > > > Cheers > > > > Malcolm > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > Hello all, > > > > > > I have successfully setup FDS on Centos 5.2, and manage to > > get users > > > signing on without any issues. However if I edit the sudoers > > file to > > > allow a group on ldap use sudo, the sudo command does not > > see the > > > members of the group or I think the group itself? > > > > > > I have no idea why this is: > > > > > > if I run the command ''id'' as the given user you can clear > > see the > > > group memberships, however if I do: getent group linuxops I > > see: > > > > > > linuxops:*:6000: > > > > > > with no members??? however SSHD AllowGroups works? I have > > configured > > > sshd to only allow members of the linxops group to login and > > this > > > works fine? so my question is why is sudo behaving > > differently? > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Malcolm Amir Hussain-Gambles
2008-Sep-09 21:42 UTC
Re: [Fedora-directory-users] Sudo and Ldap
Redhat sudo doesn''t support ldap, recompile it with ldap support and add the sudoers base to /etc/ldap.conf and it should work then, annoying! Cheers Malcolm On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:> Hello all, > > I have successfully setup FDS on Centos 5.2, and manage to get users > signing on without any issues. However if I edit the sudoers file to > allow a group on ldap use sudo, the sudo command does not see the > members of the group or I think the group itself? > > I have no idea why this is: > > if I run the command ''id'' as the given user you can clear see the > group memberships, however if I do: getent group linuxops I see: > > linuxops:*:6000: > > with no members??? however SSHD AllowGroups works? I have configured > sshd to only allow members of the linxops group to login and this > works fine? so my question is why is sudo behaving differently? > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Malcolm Amir Hussain-Gambles
2008-Sep-09 22:06 UTC
Re: [Fedora-directory-users] Sudo and Ldap
This is how I''ve always done it: I usually just pull the src.rpm and add ldap in the .spec file, recompile then I can add it to standard build image / kickstart Then add something like: sudoers_base ou=SUDOers,dc=example,dc=com to /etc/ldap.conf and that should be it Cheers, Malcolm On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote:> when you say add sudo base? are you talking about ldif file? > > Is there no way to continue to use the original ldif file? > > > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com> > Redhat sudo doesn''t support ldap, recompile it with ldap > support and add > the sudoers base to /etc/ldap.conf and it should work then, > annoying! > > Cheers > > Malcolm > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > Hello all, > > > > I have successfully setup FDS on Centos 5.2, and manage to > get users > > signing on without any issues. However if I edit the sudoers > file to > > allow a group on ldap use sudo, the sudo command does not > see the > > members of the group or I think the group itself? > > > > I have no idea why this is: > > > > if I run the command ''id'' as the given user you can clear > see the > > group memberships, however if I do: getent group linuxops I > see: > > > > linuxops:*:6000: > > > > with no members??? however SSHD AllowGroups works? I have > configured > > sshd to only allow members of the linxops group to login and > this > > works fine? so my question is why is sudo behaving > differently? > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
I have a quick work around currently, what you can do is create a local group and add ldap user to the local group. Sudo will accept the group including users. sudo will also accept a list of users from ldap, it just doesnt acknowledge members for groups in FDS? 2008/9/9 Kashif Ali <snake007uk@gmail.com>> i believe in centos 5.x and redhat they have ldap suppor built in: > > http://kbase.redhat.com/faq/FAQ_80_12975.shtm > > I am not sure how to include ldif file in the directory server, and also > once its included how to manage the sudoers? > > let me give you some more background on the environmnt: > > we have the following environments: > > Production > Staging > Test > Load Testing > Development > > Each of the environments have various number of servers ranging from 30 and > goign upto 150+. > > we have three main categories of users > > Linuxops = Linux Sys admins > SuperUsers = Developers who have sudo rights (ALL) on dev/load test > environments, but only for less, cat, more, command for > Test/Staging/Production environments (this is mainly for log and config file > viewing). > Dev = Developers who have full sudo rights on development and only access > development environment > > > I am restricting access to each environemnt via SSHD_CONFIG variable allow > groups. I have the following groups > > linuxops > prodlogs > staginglog > testlogs > ltlogs > dev > > What I would need is to someone configure ldap with sudo, so that if you > were in the correct groups you can login to which ever environment and have > the correct privilages. > > The problem I Will have is with superusers. They would be members of the > dev group (so have all rights on dev env) but then I would be added to > prodlogs etc... so they have restricted sudo on prod. However since there > would only be one sudo file in ldap, sshd would let them logon to production > server via prodlogs group, and sudo would find the dev group and give them > full rights!!!! > > I would appreciate any advice in configuring this setup, currently I have > written a wiki to cover the installation of Centos/fedora DS and configure > it for central authentication with Shared home directories, this would be > the final icing on the cake if I could get it working: > > Please have a look at the following link to get the idea of what I have > done to get ldap up and running: > > http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server > > > What I really need help is would sudo under ldap in the above scenario. I > hope I have given enough information, if you require more information please > just say I will provide ASAP. > > Regards > > Kashif > > > > > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com> > >> This is how I''ve always done it: >> >> I usually just pull the src.rpm and add ldap in the .spec file, >> recompile then I can add it to standard build image / kickstart >> >> Then add something like: >> sudoers_base ou=SUDOers,dc=example,dc=com >> >> to /etc/ldap.conf and that should be it >> >> >> Cheers, >> >> Malcolm >> >> On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote: >> > when you say add sudo base? are you talking about ldif file? >> > >> > Is there no way to continue to use the original ldif file? >> > >> > >> > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com> >> > Redhat sudo doesn''t support ldap, recompile it with ldap >> > support and add >> > the sudoers base to /etc/ldap.conf and it should work then, >> > annoying! >> > >> > Cheers >> > >> > Malcolm >> > >> > >> > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: >> > > Hello all, >> > > >> > > I have successfully setup FDS on Centos 5.2, and manage to >> > get users >> > > signing on without any issues. However if I edit the sudoers >> > file to >> > > allow a group on ldap use sudo, the sudo command does not >> > see the >> > > members of the group or I think the group itself? >> > > >> > > I have no idea why this is: >> > > >> > > if I run the command ''id'' as the given user you can clear >> > see the >> > > group memberships, however if I do: getent group linuxops I >> > see: >> > > >> > > linuxops:*:6000: >> > > >> > > with no members??? however SSHD AllowGroups works? I have >> > configured >> > > sshd to only allow members of the linxops group to login and >> > this >> > > works fine? so my question is why is sudo behaving >> > differently? >> > > >> > >> > > -- >> > > Fedora-directory-users mailing list >> > > Fedora-directory-users@redhat.com >> > > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users@redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users@redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >
On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote:> Redhat sudo doesn''t support ldap, recompile it with ldap support and add > the sudoers base to /etc/ldap.conf and it should work then, annoying!I don''t know about RHEL5, but centos 5.2 does: [root@pirez ~]# rpm -q centos-release centos-release-5-2.el5.centos [root@pirez ~]# rpm -q sudo sudo-1.6.8p12-12.el5 [root@pirez ~]# ldd $(type -p sudo) | grep ldap libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) And I believe it''s been present for all the 5.0 series.> Cheers > > Malcolm > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > Hello all, > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > signing on without any issues. However if I edit the sudoers file to > > allow a group on ldap use sudo, the sudo command does not see the > > members of the group or I think the group itself? > > > > I have no idea why this is: > > > > if I run the command ''id'' as the given user you can clear see the > > group memberships, however if I do: getent group linuxops I see: > > > > linuxops:*:6000: > > > > with no members??? however SSHD AllowGroups works? I have configured > > sshd to only allow members of the linxops group to login and this > > works fine? so my question is why is sudo behaving differently? > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389
On Tue, Sep 09, 2008 at 10:42:06PM +0100, Kashif Ali wrote:> i believe in centos 5.x and redhat they have ldap suppor built in: > > http://kbase.redhat.com/faq/FAQ_80_12975.shtm > > I am not sure how to include ldif file in the directory server, and also > once its included how to manage the sudoers? > > let me give you some more background on the environmnt: > > we have the following environments: > > Production > Staging > Test > Load Testing > Development > > Each of the environments have various number of servers ranging from 30 and > goign upto 150+. > > we have three main categories of users > > Linuxops = Linux Sys admins > SuperUsers = Developers who have sudo rights (ALL) on dev/load test > environments, but only for less, cat, more, command for > Test/Staging/Production environments (this is mainly for log and config file > viewing). > Dev = Developers who have full sudo rights on development and only access > development environment > > > I am restricting access to each environemnt via SSHD_CONFIG variable allow > groups. I have the following groups > > linuxops > prodlogs > staginglog > testlogs > ltlogs > dev > > What I would need is to someone configure ldap with sudo, so that if you > were in the correct groups you can login to which ever environment and have > the correct privilages. > > The problem I Will have is with superusers. They would be members of the dev > group (so have all rights on dev env) but then I would be added to prodlogs > etc... so they have restricted sudo on prod. However since there would only > be one sudo file in ldap, sshd would let them logon to production server via > prodlogs group, and sudo would find the dev group and give them full > rights!!!!sudo has the Host_Alias feature to restrict command aliases to particular hosts, which I think would achieve your aims. See the EXAMPLES section of the sudoers(5) man page. There''s a sudoers2ldif utility provided with the sudo distribution, it''s well worth developing your sudoer''s file with visudo for its syntax checking before converting to ldif with the sudoers2ldif utility. -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389
If I could get the correct info from getent group which would show the group members, I am sure sudo would work, I am not sure what is involved in getting sudo into ldap and the configuring it. Anyone have a link to howto/wiki? 2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk>> On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > wrote: > > Redhat sudo doesn''t support ldap, recompile it with ldap support and add > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > I don''t know about RHEL5, but centos 5.2 does: > > [root@pirez ~]# rpm -q centos-release > centos-release-5-2.el5.centos > [root@pirez ~]# rpm -q sudo > sudo-1.6.8p12-12.el5 > [root@pirez ~]# ldd $(type -p sudo) | grep ldap > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > And I believe it''s been present for all the 5.0 series. > > > Cheers > > > > Malcolm > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > Hello all, > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > signing on without any issues. However if I edit the sudoers file to > > > allow a group on ldap use sudo, the sudo command does not see the > > > members of the group or I think the group itself? > > > > > > I have no idea why this is: > > > > > > if I run the command ''id'' as the given user you can clear see the > > > group memberships, however if I do: getent group linuxops I see: > > > > > > linuxops:*:6000: > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > sshd to only allow members of the linxops group to login and this > > > works fine? so my question is why is sudo behaving differently? > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Jonathan Barber > High Performance Computing Analyst > Tel. +44 (0) 1382 386389 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On Wed, Sep 10, 2008 at 10:03:32AM +0100, Kashif Ali wrote:> If I could get the correct info from getent group > > which would show the group members, I am sure sudo would work, I am not sure > what is involved in getting sudo into ldap and the configuring it. Anyone > have a link to howto/wiki?Just following the sudo ldap readme: http://www.gratisoft.us/sudo/readme_ldap.html got me there. Bascically you have import the sudo schema (which I got from converting the openldap schema supplied with the source RPM via the ol-schema-migrate.pl script), create an entry to put your sudo config under, import your sudo config, and then configure /etc/ldap.conf to point at that entry.> 2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk> > > > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > > wrote: > > > Redhat sudo doesn''t support ldap, recompile it with ldap support and add > > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > > > I don''t know about RHEL5, but centos 5.2 does: > > > > [root@pirez ~]# rpm -q centos-release > > centos-release-5-2.el5.centos > > [root@pirez ~]# rpm -q sudo > > sudo-1.6.8p12-12.el5 > > [root@pirez ~]# ldd $(type -p sudo) | grep ldap > > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > > > And I believe it''s been present for all the 5.0 series. > > > > > Cheers > > > > > > Malcolm > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > > Hello all, > > > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > > signing on without any issues. However if I edit the sudoers file to > > > > allow a group on ldap use sudo, the sudo command does not see the > > > > members of the group or I think the group itself? > > > > > > > > I have no idea why this is: > > > > > > > > if I run the command ''id'' as the given user you can clear see the > > > > group memberships, however if I do: getent group linuxops I see: > > > > > > > > linuxops:*:6000: > > > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > > sshd to only allow members of the linxops group to login and this > > > > works fine? so my question is why is sudo behaving differently? > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Jonathan Barber > > High Performance Computing Analyst > > Tel. +44 (0) 1382 386389 > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389
So the schema is not part of the Fedora-DS. I will try it and then update my wiki covering this. 2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk>> On Wed, Sep 10, 2008 at 10:03:32AM +0100, Kashif Ali wrote: > > If I could get the correct info from getent group > > > > which would show the group members, I am sure sudo would work, I am not > sure > > what is involved in getting sudo into ldap and the configuring it. Anyone > > have a link to howto/wiki? > > Just following the sudo ldap readme: > http://www.gratisoft.us/sudo/readme_ldap.html > > got me there. > > Bascically you have import the sudo schema (which I got from converting > the openldap schema supplied with the source RPM via the > ol-schema-migrate.pl script), create an entry to put your sudo config > under, import your sudo config, and then configure /etc/ldap.conf to > point at that entry. > > > 2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk> > > > > > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > > > wrote: > > > > Redhat sudo doesn''t support ldap, recompile it with ldap support and > add > > > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > > > > > I don''t know about RHEL5, but centos 5.2 does: > > > > > > [root@pirez ~]# rpm -q centos-release > > > centos-release-5-2.el5.centos > > > [root@pirez ~]# rpm -q sudo > > > sudo-1.6.8p12-12.el5 > > > [root@pirez ~]# ldd $(type -p sudo) | grep ldap > > > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > > > > > And I believe it''s been present for all the 5.0 series. > > > > > > > Cheers > > > > > > > > Malcolm > > > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > > > Hello all, > > > > > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get > users > > > > > signing on without any issues. However if I edit the sudoers file > to > > > > > allow a group on ldap use sudo, the sudo command does not see the > > > > > members of the group or I think the group itself? > > > > > > > > > > I have no idea why this is: > > > > > > > > > > if I run the command ''id'' as the given user you can clear see the > > > > > group memberships, however if I do: getent group linuxops I see: > > > > > > > > > > linuxops:*:6000: > > > > > > > > > > with no members??? however SSHD AllowGroups works? I have > configured > > > > > sshd to only allow members of the linxops group to login and this > > > > > works fine? so my question is why is sudo behaving differently? > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Jonathan Barber > > > High Performance Computing Analyst > > > Tel. +44 (0) 1382 386389 > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Jonathan Barber > High Performance Computing Analyst > Tel. +44 (0) 1382 386389 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Malcolm Amir Hussain-Gambles
2008-Sep-10 19:14 UTC
Re: [Fedora-directory-users] Sudo and Ldap
I mainly work on rhel4 servers at the moment, good to know though. It was annoying that sudo didn''t include it, glad it does now! Cheers Malcolm On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote:> On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote: > > Redhat sudo doesn''t support ldap, recompile it with ldap support and add > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > I don''t know about RHEL5, but centos 5.2 does: > > [root@pirez ~]# rpm -q centos-release > centos-release-5-2.el5.centos > [root@pirez ~]# rpm -q sudo > sudo-1.6.8p12-12.el5 > [root@pirez ~]# ldd $(type -p sudo) | grep ldap > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > And I believe it''s been present for all the 5.0 series. > > > Cheers > > > > Malcolm > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > Hello all, > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > signing on without any issues. However if I edit the sudoers file to > > > allow a group on ldap use sudo, the sudo command does not see the > > > members of the group or I think the group itself? > > > > > > I have no idea why this is: > > > > > > if I run the command ''id'' as the given user you can clear see the > > > group memberships, however if I do: getent group linuxops I see: > > > > > > linuxops:*:6000: > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > sshd to only allow members of the linxops group to login and this > > > works fine? so my question is why is sudo behaving differently? > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
I am currently in the process of documenting the schema install into the DS server, as well as adding the sudoers into ldap. 2008/9/10 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>> I mainly work on rhel4 servers at the moment, good to know though. > It was annoying that sudo didn''t include it, glad it does now! > > Cheers > > Malcolm > > On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote: > > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > wrote: > > > Redhat sudo doesn''t support ldap, recompile it with ldap support and > add > > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > > > I don''t know about RHEL5, but centos 5.2 does: > > > > [root@pirez ~]# rpm -q centos-release > > centos-release-5-2.el5.centos > > [root@pirez ~]# rpm -q sudo > > sudo-1.6.8p12-12.el5 > > [root@pirez ~]# ldd $(type -p sudo) | grep ldap > > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > > > And I believe it''s been present for all the 5.0 series. > > > > > Cheers > > > > > > Malcolm > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > > Hello all, > > > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > > signing on without any issues. However if I edit the sudoers file to > > > > allow a group on ldap use sudo, the sudo command does not see the > > > > members of the group or I think the group itself? > > > > > > > > I have no idea why this is: > > > > > > > > if I run the command ''id'' as the given user you can clear see the > > > > group memberships, however if I do: getent group linuxops I see: > > > > > > > > linuxops:*:6000: > > > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > > sshd to only allow members of the linxops group to login and this > > > > works fine? so my question is why is sudo behaving differently? > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
I have now updated my wiki covering the sudo setup, I hope it makes it simpler for others to understand. http://wiki.unixcraft.com/display/MainPage/Sudo+in+Centos+Directory+Server 2008/9/10 Kashif Ali <snake007uk@gmail.com>> I am currently in the process of documenting the schema install into the DS > server, as well as adding the sudoers into ldap. > > 2008/9/10 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com> > > I mainly work on rhel4 servers at the moment, good to know though. >> It was annoying that sudo didn''t include it, glad it does now! >> >> Cheers >> >> Malcolm >> >> On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote: >> > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles >> wrote: >> > > Redhat sudo doesn''t support ldap, recompile it with ldap support and >> add >> > > the sudoers base to /etc/ldap.conf and it should work then, annoying! >> > >> > I don''t know about RHEL5, but centos 5.2 does: >> > >> > [root@pirez ~]# rpm -q centos-release >> > centos-release-5-2.el5.centos >> > [root@pirez ~]# rpm -q sudo >> > sudo-1.6.8p12-12.el5 >> > [root@pirez ~]# ldd $(type -p sudo) | grep ldap >> > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) >> > >> > And I believe it''s been present for all the 5.0 series. >> > >> > > Cheers >> > > >> > > Malcolm >> > > >> > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: >> > > > Hello all, >> > > > >> > > > I have successfully setup FDS on Centos 5.2, and manage to get users >> > > > signing on without any issues. However if I edit the sudoers file to >> > > > allow a group on ldap use sudo, the sudo command does not see the >> > > > members of the group or I think the group itself? >> > > > >> > > > I have no idea why this is: >> > > > >> > > > if I run the command ''id'' as the given user you can clear see the >> > > > group memberships, however if I do: getent group linuxops I see: >> > > > >> > > > linuxops:*:6000: >> > > > >> > > > with no members??? however SSHD AllowGroups works? I have configured >> > > > sshd to only allow members of the linxops group to login and this >> > > > works fine? so my question is why is sudo behaving differently? >> > > > >> > > > -- >> > > > Fedora-directory-users mailing list >> > > > Fedora-directory-users@redhat.com >> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > >> > > -- >> > > Fedora-directory-users mailing list >> > > Fedora-directory-users@redhat.com >> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >