On 19/09/13 23:09, Dmitri Pal wrote:
On 09/19/2013 12:44 PM, Rowland Penny wrote:
On 19/09/13 17:29, Lukas Slebodnik wrote:
On (19/09/13 17:18), Rowland Penny wrote:
Ok, I am back again, trying to get sssd to control sudo, but failing.
I added the sudo active directory schema ldif to samba4 AD
then added this:
dn: OU=SUDOers,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: SUDOers
dn: CN=linuxusers,OU=SUDOers,DC=example,DC=com objectClass: top objectClass: sudoRole cn: linuxusers sudoUser: %linuxusers sudoHost: ALL sudoCommand: ALL
On a Linux Mint client:
sudo apt-get install sudo-ldap
Edited /etc/sudo-ldap.conf
# TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt BASE DC=example,DC=com URI ldap://server.example.com ssl=no LDAP_VERSION 3 SUDOERS_BASE ou=SUDOers,DC=example,DC=com SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole)) BINDDN CN=Administrator,CN=Users,DC=example,DC=com BINDPW xxxxxxxxxx
then edited /etc/nsswitch.conf and added
sudoers: files ldap
restarted sudo
then as a normal user, tried to run a command with sudo, this worked.
I then altered /etc/sssd/sssd.conf and added
services = nss, pam, autofs, sudo
[sudo]
ldap_sudo_search_base = OU=SUDOers,DC=example,DC=com
^^^^^^ This line should be in domain section and not "[sudo]"
I hope it helps.
LS
altered /etc/nsswitch.conf
sudoers: files sss
restarted sssd restarted sudo
tried to run the command with sudo again, this time it failed
having been bitten by the way autofs works, I went straight to the way that sudo & sssd do the ldapsearch:
SUDO (&(&(objectClass=sudoRole))(|(sudoUser=rowland)(sudoUser=%Domain Users)(sudoUser=%#20513)(sudoUser=%vboxusers)(sudoUser=%linuxusers)(sudoUser=%#127)(sudoUser=%#21110)(sudoUser=ALL)))
SSSD (&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=ThinkPad)(sudoHost=ThinkPad.home.lan)(sudoHost=192.168.0.204)(sudoHost=192.168.0.0/24)(sudoHost=fe80::86a6:c8ff:fe3b:da7b)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\*)(sudoHost=*?*)(sudoHost=***)(sudoHost=*[*]*))))
Does the ldap search with this filter return any results?
Yes, it actually returns more than the sudo search but does not seem to use any of them
sudo searches with objectClass=sudoRole & sudoUser attribute sssd searches with objectClass=sudoRole & sudoHost attribute
Now I understand that the sssd search for the sudoHost attribute is to ensure that only sudo rules for the host are downloaded, but it doesn't actually seem to download any rules.
Is there anyway I can get the sssd search to include the sudoUser attribute in the same way that the sudo ldap search does?
Or can anybody tell me where I am going wrong (again).
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi, thanks for replying, that was my bad formatting in the post, it is actually under the domain section, there is nothing in the [sudo] section.
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users