From owner-freebsd-current@FreeBSD.ORG Tue Jun 3 13:33:09 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD8521065678 for ; Tue, 3 Jun 2008 13:33:09 +0000 (UTC) (envelope-from jadawin@tuxaco.net) Received: from huppa.tuxaco.net (huppa.tuxaco.net [91.121.19.193]) by mx1.freebsd.org (Postfix) with ESMTP id EC5068FC14 for ; Tue, 3 Jun 2008 13:33:08 +0000 (UTC) (envelope-from jadawin@tuxaco.net) Received: from localhost (unknown [127.0.0.1]) by huppa.tuxaco.net (Postfix) with ESMTP id 8BAEEA8C4; Tue, 3 Jun 2008 15:15:26 +0200 (CEST) X-Virus-Scanned: amavisd-new at tuxaco.net Received: from huppa.tuxaco.net ([127.0.0.1]) by localhost (huppa.tuxaco.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BkQPGHUhnhzT; Tue, 3 Jun 2008 15:15:20 +0200 (CEST) Received: from localhost (unknown [IPv6:2a01:e35:2ec8:fa00::2]) (Authenticated sender: jadawin@tuxaco.net) by huppa.tuxaco.net (Postfix) with ESMTPA id 21FA1A885; Tue, 3 Jun 2008 15:15:20 +0200 (CEST) Date: Tue, 3 Jun 2008 15:15:20 +0200 From: Philippe =?iso-8859-1?Q?Aud=E9oud?= To: karim.bourenane@orange-ftgroup.com Message-ID: <20080603131520.GJ85756@tuxaco.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-current@freebsd.org Subject: Re: [BSD7] Openldap with SUDOers X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2008 13:33:09 -0000 On Tue, 03 Jun 2008, karim.bourenane@orange-ftgroup.com wrote: > Hi Team, and All > Hello, > I want to create a sudoers profile in my openldap, but i dont undestand > how to do. > Actually in my Ldap i have : > In slapd.conf > # Sudoers definition base > sudoers_base ou=SUDOers,dc=domain,dc=com > sudoers_debug 0 > > Distinguished Name: ou=SUDOers,dc=domain,dc=com > > Distinguished Name: cn=defaults,ou=SUDOers,dc=domain,dc=com > With sudoOption: > ignore_dot > !mail_no_user > log_host > !syslog > timestamp_timeout=10 > > Distinguished Name: cn=role1,ou=SUDOers,dc=domain,dc=com > ObjetClass : Top and SudoRole > sudoCommand : All > sudoHost : ALL > sudoOption: !authenticate > sudoUser : login1,login2 > This part seems to be ok. > When i connect and try command "sudo su" > %sudo su > Password: > login1 is not in the sudoers file. This incident will be > reported. > To be sure that sudo don't use /etc/sudoers, please add ignore_local_sudoers in sudoOptions for cn=defaults Then, strings < /usr/bin/sudo | grep ldap | grep / /etc/ldap/ldap.conf (sorry, i'm using a debian for this time :P) in /etc/ldap/ldap.conf BASE dc=XXXXX, dc=XX URI ldap://ip.ip.ip.ip sudoers_base ou=SUDOers,dc=XXXX,dc=XX binddn cn=sudoers,dc=XXXX,dc=XX bindpw secret sudoers_debug 2 BE SURE TO HAVE TABULATIONS AND NO SPACE! (I loose 3 hours because of a space!) PS: If you prefer to speak french, don't hesitate to ask me via private mail :) -- Philippe Audeoud FreeBSD Committer | jadawin@FreeBSD.org