Date: Fri, 07 Nov 2008 14:32:01 -0500 From: "Darek M." <darek@nyi.net> To: freebsd-questions@freebsd.org Subject: sudo, LDAP, and Kerberos Message-ID: <491497B1.80507@nyi.net>
next in thread | raw e-mail | index | archive | help
I'm setting up a centralized Kerberos/LDAP authentication system and trying to get sudo to use a) Kerberos for the password, and b) LDAP for a non-local user's group. Locally on a client system "/etc/sudoers" specifies %sysadmin to be able to sudo to root. I don't need to move "sudoers" to LDAP just yet. I've had success on some machines compiling sudo from source with --enable-kerb5 and --enable-ldap. But on many other systems sudo segfaults, or returns bus errors, and overall gave me nothing but grief. So I'm looking for alternate ways of supplying sudo with a user's group. Is it possible to compile sudo (without kerberos and ldap support) and configure a pam.d file (/etc/pam.d/sudo) to interact with kerberos and LDAP? I created a sudo file with auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so warn try_first_pass ... and running sudo (compiled with only a ./configure, no other options) as a non-local user I successfully authenticate, but then sudo has no idea of the group this user belongs to and says "not in the sudoers file". Is it possible to use PAM as a go-between for sudo and the remote LDAP system to provide sudo with the user's group info? How has everyone else set up a central auth system? Seems to me sudo's configure script has some flaws and I don't want to rely on it. Maybe there's a better way, but aside from sudo acting up, the above would be a fine set up for me. Any pointers appreciated. - Darek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491497B1.80507>