Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Help implementing Sudo with LDAP

807737Oct 16 2009 — edited Oct 20 2009
Hi,
I have completed the first stage of my UNIX auth project.

At this point, I have a configuration that allows the following:

Solaris 10 zones patched to recent LDAP/NSS/PAM patches.

User is authenticated via pam_ldap and pam_list for netgroups against DSEE.

tls:simple is working.

I can use a netgroup to restrict user access to a host.

I am happy with the above configuration at this stage. Now I need to configure sudo.

I have installed Sudo 1.6.9p16 which is supplied on the Solaris 10 509 Companion CD.
It functions normally as a text file sudoers resource.

This version has pam support compiled in. I can see connections coming in over LDAP referring to sudo.

I have an entry 
sudoers: ldap
in my /etc/nsswitch.conf. I think it is the correct entry.
I need help with my pam.conf, which I am not sure if I need sudo entries for, if so what are they?

I cannot authenticate myself as a sudoer from LDAP:
mysystem:~ 8> sudo tcsh
password: 
rachelp is not in the sudoers file.  This incident will be reported.
In my debug log I can see:
Oct 16 20:15:41 mysystem sudo[3191]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sudo rachelp), flags = 80000000 
Oct 16 20:15:41 mysystem sudo[3191]: [ID 227437 auth.debug] pam_list: check_user = 1, check_host = 0,check_exact = 0
Oct 16 20:15:41 mysystem sudo[3191]: [ID 146392 auth.debug] pam_list: auth_file: /etc/user.allow, allow file
Oct 16 20:15:41 mysystem sudo[3191]: [ID 671291 auth.debug] pam_list:pam_sm_acct_mgmt for (,rachelp,)
I have a sudoers entry for LDAP:
dn: cn=defaults,ou=sudoers,dc=example,dc=edu
sudoOption: ignore_local_sudoers
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here

dn: cn=rachelp,ou=sudoers,dc=example,dc=edu
objectClass: top
objectClass: sudoRole
cn: rachelp
sudoUser: rachelp
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

dn: cn=unix_admins,ou=sudoers,dc=example,dc=edu
objectClass: top
objectClass: sudoRole
cn: unix_admins
sudoUser: rachelp
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
Could someone who has this working with Solaris 10, netgroups, pam_list etc and DSEE please advise?!


rachel
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 17 2009
Added on Oct 16 2009
#identity-management, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
3 comments
1,550 views