Set up to two VMs called ldap.lab.local and client.ldap.local
Configs/Info for ldap.lab.local:
[root@ldap
etc]# cat /etc/centos-release
CentOS release 6.5 (Final)
[root@ldap etc]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com
ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.lab.local
BASE dc=lab,dc=local
TLS_REQCERT allow
[root@ldap etc]# rpm -qa |grep 389
389-ds-1.2.2-1.el6.noarch
389-ds-base-libs-1.2.11.15-34.el6_5.x86_64
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-ds-base-1.2.11.15-34.el6_5.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
[root@ldap etc]# ldapsearch -x -ZZ
# extended LDIF
#
# LDAPv3
# base <dc=lab,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# lab.local
dn: dc=lab,dc=local
objectClass: top
objectClass: domain
dc: lab
# Directory Administrators, lab.local
dn: cn=Directory Administrators,dc=lab,dc=local
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
# Groups, lab.local
dn: ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, lab.local
dn: ou=People,dc=lab,dc=local
objectClass: top
objectClass: organizationalunit
ou: People
# Special Users, lab.local
dn: ou=Special Users,dc=lab,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
# Accounting Managers, Groups, lab.local
dn: cn=Accounting Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
# HR Managers, Groups, lab.local
dn: cn=HR Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
# QA Managers, Groups, lab.local
dn: cn=QA Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
# PD Managers, Groups, lab.local
dn: cn=PD Managers,ou=Groups,dc=lab,dc=local
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
# SUDOers, lab.local
dn: ou=SUDOers,dc=lab,dc=local
ou: SUDOers
objectClass: top
objectClass: organizationalunit
# root, SUDOers, lab.local
dn:
cn=root,ou=SUDOers,dc=lab,dc=local
cn: root
objectClass: top
objectClass: sudorole
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: root
# test, lab.local
dn: uid=test,dc=lab,dc=local
givenName: test
sn: test
loginShell: /bin/bash
uidNumber: 600
gidNumber: 10
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: test
gecos: test
cn: test
homeDirectory: /home/test
# defaults, SUDOers, lab.local
dn: cn=defaults,ou=SUDOers,dc=lab,dc=local
cn: defaults
objectClass: top
objectClass: sudorole
sudoOption: env_keep+=SSH_AUTH_SOCK
# test2, lab.local
dn: uid=test2,dc=lab,dc=local
givenName: test2
sn: test2
loginShell: /bin/bash
uidNumber: 654
gidNumber: 10
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: test2
cn: test2
homeDirectory: /home/test2
# wheel, lab.local
dn: cn=wheel,dc=lab,dc=local
gidNumber: 10
memberUid: test2
objectClass: top
objectClass: groupofuniquenames
objectClass: posixgroup
cn: wheel
# wheel, SUDOers, lab.local
dn: cn=wheel,ou=SUDOers,dc=lab,dc=local
cn: wheel
objectClass: top
objectClass: sudorole
sudoCommand: ALL
sudoHost: ALL
sudoUser: %wheel
sudoRunAsUser: ALL
# test, SUDOers, lab.local
dn: cn=test,ou=SUDOers,dc=lab,dc=local
cn: test
objectClass: top
objectClass: sudorole
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL
sudoUser: test
# search result
search: 3
result: 0 Success
# numResponses: 18
# numEntries: 17
Configs/Info for client.lab.local:
[root@client ~]# cat /etc/centos-release
CentOS release 6.5 (Final)
[root@client ~]# rpm -qa |grep sssd
sssd-1.9.2-129.el6_5.4.x86_64
sssd-client-1.9.2-129.el6_5.4.x86_64
[root@client ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.lab.local
BASE dc=lab,dc=local
TLS_REQCERT allow
[root@client ~]# cat /etc/sssd/sssd.conf
[domain/default]
ldap_tls_reqcert = allow
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=lab,dc=local
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_search_base = dc=lab,dc=local
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.lab.local/
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
debug_level=6
[autofs]
[ssh]
[pac]
--
[test@client ~]$ sudo -l
[sudo] password for test:
Matching Defaults entries for test on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=SSH_AUTH_SOCK
User test may run the following commands on this host:
(ALL) ALL
[test@client ~]$
As you can see, sudo work for user 'test'. Now let's try 'test2':
[test2@client ~]$ sudo -l
[sudo] password for test2:
User test2 is not allowed to run sudo on client.
[test2@client ~]$
--
Output of ldap.lab.local:/var/log/dirsrv/slapd-ldap/access is:
[root@ldap slapd-ldap]# cat access
[07/Sep/2014:10:07:42 -0700] conn=103 op=25 SRCH base="dc=lab,dc=local" scope=2 filter="(&(uid=test2)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn memberOf nsUniqueId modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange
krbpasswordexpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap"
[07/Sep/2014:10:07:42 -0700] conn=103 op=25 RESULT err=0 tag=101 nentries=1 etime=0
[07/Sep/2014:10:07:42 -0700] conn=103 op=26 SRCH base="dc=lab,dc=local" scope=2 filter="(&(member=uid=test2,dc=lab,dc=local)(objectClass=posixGroup)(cn=*))" attrs="objectClass cn userPassword gidNumber nsUniqueId modifyTimestamp modifyTimestamp"
[07/Sep/2014:10:07:42 -0700] conn=103 op=26 RESULT err=0 tag=101 nentries=0 etime=0 notes=P
[07/Sep/2014:10:07:42 -0700] conn=108 fd=69 slot=69 connection from 192.168.199.98 to 192.168.199.99
[07/Sep/2014:10:07:42 -0700] conn=108 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[07/Sep/2014:10:07:42 -0700] conn=108 op=0 RESULT err=0
tag=120 nentries=0 etime=0
[07/Sep/2014:10:07:42 -0700] conn=108 SSL 128-bit AES
[07/Sep/2014:10:07:42 -0700] conn=108 op=1 BIND dn="uid=test2,dc=lab,dc=local" method=128 version=3
[07/Sep/2014:10:07:42 -0700] conn=108 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=test2,dc=lab,dc=local"
[07/Sep/2014:10:07:42 -0700] conn=108 op=2 UNBIND
[07/Sep/2014:10:07:42 -0700] conn=108 op=2 fd=69 closed - U1
[root@ldap slapd-ldap]#
--
Both 'test' and 'test2' login fine with LDAP authentication.
If it matters, ldap.lab.local has a self-signed certificate which was created by setupssl2.sh.
Thanks for any suggestions.