From owner-freebsd-questions@FreeBSD.ORG Wed Nov 10 16:14:41 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2C6E1065695 for ; Wed, 10 Nov 2010 16:14:41 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id B21F58FC1C for ; Wed, 10 Nov 2010 16:14:41 +0000 (UTC) Received: by ywj3 with SMTP id 3so491251ywj.13 for ; Wed, 10 Nov 2010 08:14:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=cgF5zCTlCd3fAy+Chc99LmUDNgy6Kw3eLKkKo+wWxjg=; b=GqBROviEV2PP+gH5fyF3IcP1Bb+x0g5TiROfbKJfTa4g675GiZ6BnOyoCd9jsMS7Xf q+mzakgNntlt8GozwzBGtejqkgkuzq45ADq1C6O1xAgh+j3MCM7PgM74RWtFf8j54c0B F0H3p6qgfVULnZiX9PNR2LheXcjIptg6bpc2M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=BPso1GqQ31oD6NRIYDzWjEn2fYGZ1/EdbDJQ5sOp5HCcjiJstWqIla+Du0M9pwMhCW +gr1qQk+y9OpTXQFuNU5iQoqajg+6WiZ0lQsDdj9lvewnLIeRW6fSnXHLrh19XtBwIwM Se6/mJaM/7rn3HjsWsAbe4JiVKdyqIos2ncEs= MIME-Version: 1.0 Received: by 10.204.53.130 with SMTP id m2mr8423120bkg.111.1289405678989; Wed, 10 Nov 2010 08:14:38 -0800 (PST) Received: by 10.204.81.153 with HTTP; Wed, 10 Nov 2010 08:14:38 -0800 (PST) Date: Wed, 10 Nov 2010 11:14:38 -0500 Message-ID: From: bluethundr To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 Subject: Problems Hooking Sudoers into PAM/LDAP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2010 16:14:42 -0000 Hey list!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS turned on and it is ALL happening through PAM!! Well almost all of it.. The one sticking point I am currently having is getting sudoers to authenticate against LDAP. The server is FreeBSD 8.1 but the clients are all CentOS 5.4. Although, knowing this shouldn't make much difference in how this works AFAIK. On the client I have my /etc/ldap.conf file setup like this: URI ldap://ldap.acadaca.net/ BASE dc=acadaca,dc=net TLS_CACERTDIR /etc/openldap/cacerts pam_login_attribute uid pam_lookup_policy yes pam_password exop nss_base_passwd ou=staff,dc=acadaca,dc=net sudoers_debug 2 I have added the user I am testing to a couple of groups (two regular DNs and one posixGroup) all of which had the sudoRole objectClass in the hopes that this might be related to the issue: 46 cn=%sa,ou=sudoers,ou=Services,dc=acadaca,dc=net objectClass: top objectClass: sudoRole cn: %sa sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate sudoUser: %sa sudoUser: bluethundr 50 cn=role1,ou=sudoers,ou=Services,dc=acadaca,dc=net objectClass: sudoRole objectClass: top cn: role1 sudoUser: bluethundr sudoHost: ALL sudoCommand: ALL 51 cn=sa,ou=Group,dc=acadaca,dc=net objectClass: posixGroup objectClass: top cn: sa userPassword: {crypt}* gidNumber: 20004 However that didn't seem to do the trick. When I do attempt to sudo from the client machine this is what I see on the command line: [bluethundr@VIRCENT03:~]#sudo bash [sudo] password for bluethundr: bluethundr is not in the sudoers file. This incident will be reported. [bluethundr@VIRCENT03:~]#sudo -l [sudo] password for bluethundr: Sorry, user bluethundr may not run sudo on VIRCENT03. Also I notice that the client can't seem to find it's groups stored in LDAP even tho I would think that system auth would point sudoers to them just as it does sshd and su. [bluethundr@VIRCENT03:~]#groups bluethundr id: cannot find name for group ID 1002 I am not entirely sure that this is a separate issue, honestly but I think it may be related. The other pam services I am working with, su and sshd, trigger events in the openldap logs on the server. Everything is going smoothly with these services, apparently: In the openldap logs on the server here is a sample of what I see: Nov 9 14:03:56 ldap slapd[31269]: bdb_search_candidates: id=1 first=54 last=54 Nov 9 14:03:56 ldap slapd[31269]: => test_filter Nov 9 14:03:56 ldap slapd[31269]: AND Nov 9 14:03:56 ldap slapd[31269]: => test_filter_and Nov 9 14:03:56 ldap slapd[31269]: => test_filter Nov 9 14:03:56 ldap slapd[31269]: EQUALITY Nov 9 14:03:56 ldap slapd[31269]: => access_allowed: search access to "uid=bluethundr,ou=sa,ou=staff,dc=acadaca,dc=net" "objectClass" requested Nov 9 14:03:56 ldap slapd[31269]: => acl_get: [1] attr objectClass Nov 9 14:03:56 ldap slapd[31269]: => acl_mask: access to entry "uid=bluethundr,ou=sa,ou=staff,dc=acadaca,dc=net", attr "objectClass" requested Nov 9 14:03:56 ldap slapd[31269]: => acl_mask: to value by "", (=0) Nov 9 14:03:56 ldap slapd[31269]: <= acl_mask: [1] applying read(=rscxd) (stop) Nov 9 14:03:56 ldap slapd[31269]: <= acl_mask: [1] mask: read(=rscxd) Nov 9 14:03:56 ldap slapd[31269]: => access_allowed: search access granted by read(=rscxd) More complete logs that I hope will provide a bit more context can be found here: http://ldap.acadaca.net/docs/openldap.txt What I've done was clear the openldap logs with an echo " " > statement just before sudoing to root on the client. Honestly, I wish I was better at parsing these log files but unfortunately I'm not quite there as of yet. :( Back on the client side I see this noticeable event, amongst quite a lot of successful pam events in the secure log: Nov 9 15:37:39 VIRCENT03 sudo: bluethundr : user NOT in sudoers ; TTY=pts/3 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash A more complete version of the secure log can be found here: http://ldap.acadaca.net/docs/securelogs.txt And lastly a copy of the schema that I am working with can be found here: http://ldap.acadaca.net/docs/schema.txt Best regards, and thanks for your help!! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 Share and enjoy!!