Re: pam services under LDAP

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday, 9 November 2010 00:07:27 Indexer wrote:

> I have had a similar issue on my OpenLDAP setup. I have a posixgroup in
> ldap, into which i placed a list of users for sudo access, and it never
> works.

Works just fine here. Seems your nss setup is broken.

> both full dn, and just the uid or id number of the user in the
> posixgroup dont work.
> 
> Sudo supports some LDAP based configuration from what i understand, but i
> think that is different to what you are trying to achieve in this case.

No, it is what the OP is trying to achieve.

Here is an example with sudo rules in LDAP, applied to groups that only exist 
in LDAP:

[bgmilne@saturn ~]$ grep bgmilne /etc/passwd
[bgmilne@saturn ~]$ grep bgmilne /etc/group
[bgmilne@saturn ~]$ groups
sysadmins build developers dbas ispservices
[bgmilne@saturn ~]$ sudo -l
User bgmilne may run the following commands on this host:

LDAP Role: BUILD
  Commands:
    /usr/bin/eash
    /usr/local/bin/eash

[...]

[bgmilne@saturn ~]$ ldapsearch -LLL -x "(&(objectclass=sudoRole)(cn=BUILD))"
dn: cn=BUILD,ou=SUDOers,dc=xxx....
objectClass: top
objectClass: sudoRole
cn: BUILD
sudoHost: ALL
sudoOption: !authenticate
sudoUser: %sysadmins
sudoUser: %build
sudoCommand: /usr/bin/eash
sudoCommand: /usr/local/bin/eash

[bgmilne@saturn ~]$ sudo eash
[i] trying 192.168.123.16:5554 ... connected.
Awaiting EAS central server validation ... granted.
All privileged access to this host is audited. Exit your shell if you
do not accept the conditions of privileged access to this host.
[saturn:~]# id
uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
context=user_u:system_r:unconfined_t




Regards,
Buchan