FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-10-2008, 10:05 AM
Jonathan Barber
 
Default Sudo and Ldap

On Wed, Sep 10, 2008 at 10:03:32AM +0100, Kashif Ali wrote:
> If I could get the correct info from getent group
>
> which would show the group members, I am sure sudo would work, I am not sure
> what is involved in getting sudo into ldap and the configuring it. Anyone
> have a link to howto/wiki?

Just following the sudo ldap readme:
http://www.gratisoft.us/sudo/readme_ldap.html

got me there.

Bascically you have import the sudo schema (which I got from converting
the openldap schema supplied with the source RPM via the
ol-schema-migrate.pl script), create an entry to put your sudo config
under, import your sudo config, and then configure /etc/ldap.conf to
point at that entry.

> 2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk>
>
> > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles
> > wrote:
> > > Redhat sudo doesn't support ldap, recompile it with ldap support and add
> > > the sudoers base to /etc/ldap.conf and it should work then, annoying!
> >
> > I don't know about RHEL5, but centos 5.2 does:
> >
> > [root@pirez ~]# rpm -q centos-release
> > centos-release-5-2.el5.centos
> > [root@pirez ~]# rpm -q sudo
> > sudo-1.6.8p12-12.el5
> > [root@pirez ~]# ldd $(type -p sudo) | grep ldap
> > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000)
> >
> > And I believe it's been present for all the 5.0 series.
> >
> > > Cheers
> > >
> > > Malcolm
> > >
> > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:
> > > > Hello all,
> > > >
> > > > I have successfully setup FDS on Centos 5.2, and manage to get users
> > > > signing on without any issues. However if I edit the sudoers file to
> > > > allow a group on ldap use sudo, the sudo command does not see the
> > > > members of the group or I think the group itself?
> > > >
> > > > I have no idea why this is:
> > > >
> > > > if I run the command 'id' as the given user you can clear see the
> > > > group memberships, however if I do: getent group linuxops I see:
> > > >
> > > > linuxops:*:6000:
> > > >
> > > > with no members??? however SSHD AllowGroups works? I have configured
> > > > sshd to only allow members of the linxops group to login and this
> > > > works fine? so my question is why is sudo behaving differently?
> > > >
> > > > --
> > > > Fedora-directory-users mailing list
> > > > Fedora-directory-users@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> > --
> > Jonathan Barber
> > High Performance Computing Analyst
> > Tel. +44 (0) 1382 386389
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >

> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-10-2008, 10:12 AM
"Kashif Ali"
 
Default Sudo and Ldap

So the schema is not part of the Fedora-DS. I will try it and then update my wiki covering this.

2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk>

On Wed, Sep 10, 2008 at 10:03:32AM +0100, Kashif Ali wrote:

> If I could get the correct info from getent group

>

> which would show the group members, I am sure sudo would work, I am not sure

> what is involved in getting sudo into ldap and the configuring it. Anyone

> have a link to howto/wiki?



Just following the sudo ldap readme:

http://www.gratisoft.us/sudo/readme_ldap.html



got me there.



Bascically you have import the sudo schema (which I got from converting

the openldap schema supplied with the source RPM via the

ol-schema-migrate.pl script), create an entry to put your sudo config

under, import your sudo config, and then configure /etc/ldap.conf to

point at that entry.



> 2008/9/10 Jonathan Barber <j.barber@dundee.ac.uk>

>

> > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles

> > wrote:

> > > Redhat sudo doesn't support ldap, recompile it with ldap support and add

> > > the sudoers base to /etc/ldap.conf and it should work then, annoying!

> >

> > I don't know about RHEL5, but centos 5.2 does:

> >

> > [root@pirez ~]# rpm -q centos-release

> > centos-release-5-2.el5.centos

> > [root@pirez ~]# rpm -q sudo

> > sudo-1.6.8p12-12.el5

> > [root@pirez ~]# ldd $(type -p sudo) | grep ldap

> > * * * *libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000)

> >

> > And I believe it's been present for all the 5.0 series.

> >

> > > Cheers

> > >

> > > Malcolm

> > >

> > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:

> > > > Hello all,

> > > >

> > > > I have successfully setup FDS on Centos 5.2, and manage to get users

> > > > signing on without any issues. However if I edit the sudoers file to

> > > > allow a group on ldap use sudo, the sudo command does not see the

> > > > members of the group or I think the group itself?

> > > >

> > > > I have no idea why this is:

> > > >

> > > > if I run the command 'id' as the given user you can clear see the

> > > > group memberships, however if I do: getent group linuxops I see:

> > > >

> > > > linuxops:*:6000:

> > > >

> > > > with no members??? however SSHD AllowGroups works? I have configured

> > > > sshd to only allow members of the linxops group to login and this

> > > > works fine? so my question is why is sudo behaving differently?

> > > >

> > > > --

> > > > Fedora-directory-users mailing list

> > > > Fedora-directory-users@redhat.com

> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users

> > >

> > > --

> > > Fedora-directory-users mailing list

> > > Fedora-directory-users@redhat.com

> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users

> >

> > --

> > Jonathan Barber

> > High Performance Computing Analyst

> > Tel. +44 (0) 1382 386389

> >

> > --

> > Fedora-directory-users mailing list

> > Fedora-directory-users@redhat.com

> > https://www.redhat.com/mailman/listinfo/fedora-directory-users

> >



> --

> Fedora-directory-users mailing list

> Fedora-directory-users@redhat.com

> https://www.redhat.com/mailman/listinfo/fedora-directory-users





--

Jonathan Barber

High Performance Computing Analyst

Tel. +44 (0) 1382 386389



--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-10-2008, 07:14 PM
Malcolm Amir Hussain-Gambles
 
Default Sudo and Ldap

I mainly work on rhel4 servers at the moment, good to know though.
It was annoying that sudo didn't include it, glad it does now!

Cheers

Malcolm

On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote:
> On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote:
> > Redhat sudo doesn't support ldap, recompile it with ldap support and add
> > the sudoers base to /etc/ldap.conf and it should work then, annoying!
>
> I don't know about RHEL5, but centos 5.2 does:
>
> [root@pirez ~]# rpm -q centos-release
> centos-release-5-2.el5.centos
> [root@pirez ~]# rpm -q sudo
> sudo-1.6.8p12-12.el5
> [root@pirez ~]# ldd $(type -p sudo) | grep ldap
> libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000)
>
> And I believe it's been present for all the 5.0 series.
>
> > Cheers
> >
> > Malcolm
> >
> > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:
> > > Hello all,
> > >
> > > I have successfully setup FDS on Centos 5.2, and manage to get users
> > > signing on without any issues. However if I edit the sudoers file to
> > > allow a group on ldap use sudo, the sudo command does not see the
> > > members of the group or I think the group itself?
> > >
> > > I have no idea why this is:
> > >
> > > if I run the command 'id' as the given user you can clear see the
> > > group memberships, however if I do: getent group linuxops I see:
> > >
> > > linuxops:*:6000:
> > >
> > > with no members??? however SSHD AllowGroups works? I have configured
> > > sshd to only allow members of the linxops group to login and this
> > > works fine? so my question is why is sudo behaving differently?
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-10-2008, 08:39 PM
"Kashif Ali"
 
Default Sudo and Ldap

I am currently in the process of documenting the schema install into the DS server, as well as adding the sudoers into ldap.

2008/9/10 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>

I mainly work on rhel4 servers at the moment, good to know though.

It was annoying that sudo didn't include it, glad it does now!



Cheers



Malcolm



On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote:

> On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote:

> > Redhat sudo doesn't support ldap, recompile it with ldap support and add

> > the sudoers base to /etc/ldap.conf and it should work then, annoying!

>

> I don't know about RHEL5, but centos 5.2 does:

>

> [root@pirez ~]# rpm -q centos-release

> centos-release-5-2.el5.centos

> [root@pirez ~]# rpm -q sudo

> sudo-1.6.8p12-12.el5

> [root@pirez ~]# ldd $(type -p sudo) | grep ldap

> * * * * libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000)

>

> And I believe it's been present for all the 5.0 series.

>

> > Cheers

> >

> > Malcolm

> >

> > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:

> > > Hello all,

> > >

> > > I have successfully setup FDS on Centos 5.2, and manage to get users

> > > signing on without any issues. However if I edit the sudoers file to

> > > allow a group on ldap use sudo, the sudo command does not see the

> > > members of the group or I think the group itself?

> > >

> > > I have no idea why this is:

> > >

> > > if I run the command 'id' as the given user you can clear see the

> > > group memberships, however if I do: getent group linuxops I see:

> > >

> > > linuxops:*:6000:

> > >

> > > with no members??? however SSHD AllowGroups works? I have configured

> > > sshd to only allow members of the linxops group to login and this

> > > works fine? so my question is why is sudo behaving differently?

> > >

> > > --

> > > Fedora-directory-users mailing list

> > > Fedora-directory-users@redhat.com

> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users

> >

> > --

> > Fedora-directory-users mailing list

> > Fedora-directory-users@redhat.com

> > https://www.redhat.com/mailman/listinfo/fedora-directory-users

>



--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 09-11-2008, 01:20 PM
"Kashif Ali"
 
Default Sudo and Ldap

I have now updated my wiki covering the sudo setup, I hope it makes it simpler for others to understand.

http://wiki.unixcraft.com/display/MainPage/Sudo+in+Centos+Directory+Server




2008/9/10 Kashif Ali <snake007uk@gmail.com>

I am currently in the process of documenting the schema install into the DS server, as well as adding the sudoers into ldap.

2008/9/10 Malcolm Amir Hussain-Gambles <malcolm@saafinternational.com>


I mainly work on rhel4 servers at the moment, good to know though.

It was annoying that sudo didn't include it, glad it does now!



Cheers



Malcolm



On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote:

> On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote:

> > Redhat sudo doesn't support ldap, recompile it with ldap support and add

> > the sudoers base to /etc/ldap.conf and it should work then, annoying!

>

> I don't know about RHEL5, but centos 5.2 does:

>

> [root@pirez ~]# rpm -q centos-release

> centos-release-5-2.el5.centos

> [root@pirez ~]# rpm -q sudo

> sudo-1.6.8p12-12.el5

> [root@pirez ~]# ldd $(type -p sudo) | grep ldap

> * * * * libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000)

>

> And I believe it's been present for all the 5.0 series.

>

> > Cheers

> >

> > Malcolm

> >

> > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote:

> > > Hello all,

> > >

> > > I have successfully setup FDS on Centos 5.2, and manage to get users

> > > signing on without any issues. However if I edit the sudoers file to

> > > allow a group on ldap use sudo, the sudo command does not see the

> > > members of the group or I think the group itself?

> > >

> > > I have no idea why this is:

> > >

> > > if I run the command 'id' as the given user you can clear see the

> > > group memberships, however if I do: getent group linuxops I see:

> > >

> > > linuxops:*:6000:

> > >

> > > with no members??? however SSHD AllowGroups works? I have configured

> > > sshd to only allow members of the linxops group to login and this

> > > works fine? so my question is why is sudo behaving differently?

> > >

> > > --

> > > Fedora-directory-users mailing list

> > > Fedora-directory-users@redhat.com

> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users

> >

> > --

> > Fedora-directory-users mailing list

> > Fedora-directory-users@redhat.com

> > https://www.redhat.com/mailman/listinfo/fedora-directory-users

>



--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users





--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 09:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org