[Date Prev][Date Next]
Re: pam services under LDAP
On Monday, 8 November 2010 22:16:51 bluethundr wrote:
> Hello List
> I am attempting to setup various pam modules to consult our new LDAP
> services in order to do what it needs to do. My LDAP server is FreeBSD
> but the clients are CentOS...
> I have setup my /etc/pam.d sudo
If you have already setup /etc/pam.d/system-auth for LDAP (e.g. with
authconfig), you should not need to make changes to other pam service files.
However, it appears your problem isn't authentication:
> but even tho the user is part of the %wheel group under LDAP it is
> unable to sudo to any other account (including root). If I try to sudo
> this is what happens:
> [bluethundr@VIRCENT03:~]#sudo bash
> [sudo] password for bluethundr:
> bluethundr is not in the sudoers file. This incident will be reported.
So authentication works. PAM doesn't do anything further here ...
> It would appear that sudo support for ldap is compiled in:
> [root@VIRCENT03:~]#ldd $(which sudo)| grep -i ldap
> libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00552000)
Well, now we are getting away from your $subject, which was asking about pam.
This has *nothing* to do with PAM (applications wanting to authenticate via
pam_ldap don't need to be linked to libldap).
> This is how I setup my ldap.conf file
> [root@VIRCENT03:~]#cat /etc/openldap/ldap.conf
> sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net
sudo+ldap looks for that in /etc/ldap.conf. Please don't mix /etc/ldap.conf
> In my openldap logs on the LDAP server there appears to be no activity
> when I sudo. however in the secure logs on the client I do..
> Works there!
These logs are irrelevant. More interesting would be the logs on the server-
side, to see if *any* searches are done. However, the 'sudo -l' output may be
> I do see other events in secure.log that appear to be pam successes
> however. am i interpreting this correctly that at least part of the
> system is communicating with pam on the ldap server?
PAM seems to work, as your password is accepted. Nothing further relates to
pam at all. Everything else relates *only* to sudo. Please read your
/usr/share/doc/sudo-*/README.LDAP file. For example, the coverage of the
'sudoers_debug' option may be interesting.