Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
Essentiall all I need is (&(objectClass=mnetperson)(uid=iqbala)) and may be I will add more attributes if I want other groups to be able to sudo.
Also I do I map this to the sudo command that a user can run?
Appreciate the help!
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
Cheers,
John
My ldap_sudo_search_base path end with “?onelevel?” since it’s a search base you have to give it a scope. It's working fine for us.
Sent from my Windows 10 phone
From: John Beranekmailto:john@redux.org.uk Sent: Friday, October 13, 2017 4:07 PM To: End-user discussions about the System Security Services Daemonmailto:sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sudo does not work with SSSD
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))] (Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
Cheers,
John _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek john@redux.org.uk wrote:
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_
cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)
(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))]
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_
cache]
(0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(
uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass.
So that means I cannot use sudo for SSSD?
Cheers,
John _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On 13 October 2017 at 22:49, Asif Iqbal wrote:
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek john@redux.org.uk wrote:
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(uid=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass.
So that means I cannot use sudo for SSSD?
The LDAP directory will typically need the schema adding, including for Active Directory ( http://jhrozek.livejournal.com/3860.html ) - so, yes, you need the cooperation of the LDAP administrators in IT.
John
I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek john@redux.org.uk wrote:
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c
ache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(
sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))]
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca
che]
(0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui
d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass.
So that means I cannot use sudo for SSSD?
Cheers,
John _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan dancorrigan1@gmail.com wrote:
I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
I suppose I will just use local/proxy->local with sudo since IT wont add a sudo schema.
Appreciate the pointer!
On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek john@redux.org.uk wrote:
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c
ache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(s
udoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))]
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca
che]
(0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui
d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass.
So that means I cannot use sudo for SSSD?
Cheers,
John _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan dancorrigan1@gmail.com wrote:
I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
I suppose I will just use local/proxy->local with sudo since IT wont add a sudo schema.
Appreciate the pointer!
I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which works perfect.
So looks like sudo login with ldap password work with pam_ldap.so and nslcd, but sssd needs a ldap sudo schema.
So if one does not have access to the LDAP server, pam_ldap + nslcd is the only way to work since sssd won't work there.
Did I evaluate it right or is there is a workaround for sssd to work as well?
Thanks
On Fri, Oct 13, 2017 at 4:49 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 5:06 PM, John Beranek john@redux.org.uk wrote:
On 13 October 2017 at 19:28, Asif Iqbal wrote:
Hi All
I have this is sssd.conf
[sudo] debug_level = 0x3ff0
[domain/LDAP] debug_level = 0x02F0 ... sudo_provider = ldap ldap_sudo_search_base = ou=People,dc=mnet,dc=qintra,dc=com ldap_sudorule_object_class = mnetperson
user can login OK with ldap, but sudo is failing
I see the it is doing a ldapsearch like this in the sssd_sudo.log
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_c
ache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=iqbala)(s
udoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))]
(Fri Oct 13 18:08:10 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_ca
che]
(0x0400): Returning 0 rules for [iqbala@LDAP]
It would have worked if search were like this
(&(objectClass=mnetperson)(|(sudoUser=ALL)(name=defaults)(ui
d=iqbala)(sudoUser=#408462)(sudoUser=%iqbala)(sudoUser=+*)))
How do I change the config to search like above?
The search it's doing is to retrieve sudo rule objects from the directory, as defined in e.g. https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html
Each LDAP object is equivalent to a line in a sudoers file.
I do not manage LDAP server, IT does and ldapsearch shows there is no sudoRole or any sudo* objectclass.
So that means I cannot use sudo for SSSD?
Cheers,
John _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
On (16/10/17 15:16), Asif Iqbal wrote:
On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan dancorrigan1@gmail.com wrote:
I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
I suppose I will just use local/proxy->local with sudo since IT wont add a sudo schema.
Appreciate the pointer!
I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which works perfect.
So looks like sudo login with ldap password work with pam_ldap.so and nslcd, but sssd needs a ldap sudo schema.
So if one does not have access to the LDAP server, pam_ldap + nslcd is the only way to work since sssd won't work there.
Did I evaluate it right or is there is a workaround for sssd to work as well?
If nss-pam-ldapd is able to provide rules from LDAP server then sssd is able to provide them as well. And there are not required any changes on LDAP server.
Which distribution do you use? is sudo compiled there with sssd support? ot just with ldap? sudo -V | grep sss
Is nsswitch configured properly with sss? grep sudoers /etc/nsswitch.conf
@see also https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
LS
On Mon, Oct 16, 2017 at 5:37 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (16/10/17 15:16), Asif Iqbal wrote:
On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan <
dancorrigan1@gmail.com>
wrote:
I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
I suppose I will just use local/proxy->local with sudo since IT wont
add a
sudo schema.
Appreciate the pointer!
I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which works perfect.
So looks like sudo login with ldap password work with pam_ldap.so and nslcd, but sssd needs a ldap sudo schema.
So if one does not have access to the LDAP server, pam_ldap + nslcd is the only way to work since sssd won't work there.
Did I evaluate it right or is there is a workaround for sssd to work as well?
If nss-pam-ldapd is able to provide rules from LDAP server then sssd is able to provide them as well. And there are not required any changes on
I am using nss-pam-ldapd for sudo authentication only. I am using local sudoers for rules.
Can I user sssd instead of nss-pam-ldapd for sudo authentication only and use local sudoers file for rules?
LDAP server.
Which distribution do you use? is sudo compiled there with sssd support? ot just with ldap? sudo -V | grep sss
Here is sudo -V output and I am using centos 7 in this case.
Is nsswitch configured properly with sss? grep sudoers /etc/nsswitch.conf
[root@localhost vagrant]# grep sudoers /etc/nsswitch.conf sudoers files sss
@see also
https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
I will follow that when I am work tomorrow. I can access the corporate LDAP server only from work.
Thanks for your help
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Mon, Oct 16, 2017 at 5:37 PM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (16/10/17 15:16), Asif Iqbal wrote:
On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal vadud3@gmail.com wrote:
On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan <
dancorrigan1@gmail.com>
wrote:
I'm wondering if you have even extended your LDAP schema for sudo. Sudo rules must follow a proper schema in order to be valid.
I suppose I will just use local/proxy->local with sudo since IT wont
add a
sudo schema.
Appreciate the pointer!
I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which works perfect.
So looks like sudo login with ldap password work with pam_ldap.so and nslcd, but sssd needs a ldap sudo schema.
So if one does not have access to the LDAP server, pam_ldap + nslcd is the only way to work since sssd won't work there.
Did I evaluate it right or is there is a workaround for sssd to work as well?
If nss-pam-ldapd is able to provide rules from LDAP server then sssd is able to provide them as well. And there are not required any changes on LDAP server.
This worked when I got rid of ldap_sudo* from the config and just used sudoers file and made sure uid is in local wheel group.
Appreciate your help!
Which distribution do you use? is sudo compiled there with sssd support? ot just with ldap? sudo -V | grep sss
Is nsswitch configured properly with sss? grep sudoers /etc/nsswitch.conf
@see also https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org