On (19/09/13 17:18), Rowland Penny wrote:
> Ok, I am back again, trying to get sssd to control sudo, but failing.
>
> I added the sudo active directory schema ldif to samba4 AD
>
> then added this:
>
> dn: OU=SUDOers,DC=example,DC=com
> objectClass: top
> objectClass: organizationalUnit
> ou: SUDOers
>
> dn: CN=linuxusers,OU=SUDOers,DC=example,DC=com
> objectClass: top
> objectClass: sudoRole
> cn: linuxusers
> sudoUser: %linuxusers
> sudoHost: ALL
> sudoCommand: ALL
>
> On a Linux Mint client:
>
> sudo apt-get install sudo-ldap
>
> Edited /etc/sudo-ldap.conf
>
> # TLS certificates (needed for GnuTLS)
> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
> BASE DC=example,DC=com
> URI
ldap://server.example.com
> ssl=no
> LDAP_VERSION 3
> SUDOERS_BASE ou=SUDOers,DC=example,DC=com
> SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole))
> BINDDN CN=Administrator,CN=Users,DC=example,DC=com
> BINDPW xxxxxxxxxx
>
> then edited /etc/nsswitch.conf and added
>
> sudoers: files ldap
>
> restarted sudo
>
> then as a normal user, tried to run a command with sudo, this worked.
>
> I then altered /etc/sssd/sssd.conf and added
>
> services = nss, pam, autofs, sudo
>
> [sudo]
>
> ldap_sudo_search_base = OU=SUDOers,DC=example,DC=com
^^^^^^
This line should be in domain section and not "[sudo]"
I hope it helps.
LS
> altered /etc/nsswitch.conf
>
> sudoers: files sss
>
> restarted sssd
> restarted sudo
>
> tried to run the command with sudo again, this time it failed
>
> having been bitten by the way autofs works, I went straight to the
> way that sudo & sssd do the ldapsearch:
>
> SUDO
> (&(&(objectClass=sudoRole))(|(sudoUser=rowland)(sudoUser=%Domain
Users)(sudoUser=%#20513)(sudoUser=%vboxusers)(sudoUser=%linuxusers)(sudoUser=%#127)(sudoUser=%#21110)(sudoUser=ALL)))
>
> SSSD
>
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=ThinkPad)(sudoHost=ThinkPad.home.lan)(sudoHost=192.168.0.204)(sudoHost=192.168.0.0/24)(sudoHost=fe80::86a6:c8ff:fe3b:da7b)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
>
> sudo searches with objectClass=sudoRole & sudoUser attribute
> sssd searches with objectClass=sudoRole & sudoHost attribute
>
> Now I understand that the sssd search for the sudoHost attribute is
> to ensure that only sudo rules for the host are downloaded, but it
> doesn't actually seem to download any rules.
>
> Is there anyway I can get the sssd search to include the sudoUser
> attribute in the same way that the sudo ldap search does?
>
> Or can anybody tell me where I am going wrong (again).
>
> Rowland
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users Hi, thanks for replying,
that was my bad formatting in the post, it is
actually under the domain section, there is nothing in the [sudo] section.
Rowland