On Mon, Oct 16, 2017 at 5:37 PM, Lukas Slebodnik <lslebodn@redhat.com> wrote:
On (16/10/17 15:16), Asif Iqbal wrote:
>On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal <vadud3@gmail.com> wrote:
>
>>
>> On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan <dancorrigan1@gmail.com>
>> wrote:
>>
>>> I'm wondering if you have even extended your LDAP schema for sudo. Sudo
>>> rules must follow a proper schema in order to be valid.
>>>
>>
>> I suppose I will just use local/proxy->local with sudo since IT wont add a
>> sudo schema.
>>
>> Appreciate the pointer!
>>
>>
>I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which
>works perfect.
>
>So looks like sudo login with ldap password work with pam_ldap.so and
>nslcd, but sssd needs a ldap sudo schema.
>
>So if one does not have access to the LDAP server, pam_ldap + nslcd is the
>only way to work since sssd won't work there.
>
>Did I evaluate it right or is there is a workaround for sssd to work as
>well?
>

If nss-pam-ldapd is able to provide rules from LDAP server then sssd
is able to provide them as well. And there are not required any changes on

I am using nss-pam-ldapd for sudo authentication only. I am using local sudoers
for rules.

Can I user sssd instead of nss-pam-ldapd for sudo authentication only and use local sudoers
file for rules?

 
LDAP server.

Which distribution do you use? is sudo compiled there with sssd support?
ot just with ldap?
   sudo -V | grep sss


Here is sudo -V output and I am using centos 7 in this case.

http://dpaste.com/27GVJTC.txt

 
Is nsswitch configured properly with sss?
   grep sudoers /etc/nsswitch.conf


[root@localhost vagrant]# grep sudoers /etc/nsswitch.conf
sudoers     files sss

@see also
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html

I will follow that when I am work tomorrow. I can access the corporate LDAP server only from work.
 
Thanks for your help



LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?