supremedalek
October 5th, 2009, 04:01 PM
I need to be able to have sudo check in ldap if a given user can sudo. What is the best way to do that? Currently what I have been doing is to add something like
sudoers_base ou=SUDOers,dc=domain,dc=com
to /etc/ldap/ldap.conf (as ubuntu does not have a ldap.conf.sudo file) and then install sudo-ldap (after removing plain sudo). I also have sudoers defined in /etc/nsswitch.conf,
passwd: files ldap
shadow: files ldap
group: files ldap
sudoers: ldap files
But, when I try it out,
raub@tickets:~$ sudo pwd
[sudo] password for raub:
raub is not in the sudoers file. This incident will be reported.
raub@tickets:~$
It does not seem to be authenticating. From /var/log/auth.log,
Oct 5 09:10:15 tickets sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=raub
Ok, probably the question should be what is going on, but the most important question to me is: how can I have sudo be a bit more verbose on its logging, telling me what it used to check if the user can sudo?
sudoers_base ou=SUDOers,dc=domain,dc=com
to /etc/ldap/ldap.conf (as ubuntu does not have a ldap.conf.sudo file) and then install sudo-ldap (after removing plain sudo). I also have sudoers defined in /etc/nsswitch.conf,
passwd: files ldap
shadow: files ldap
group: files ldap
sudoers: ldap files
But, when I try it out,
raub@tickets:~$ sudo pwd
[sudo] password for raub:
raub is not in the sudoers file. This incident will be reported.
raub@tickets:~$
It does not seem to be authenticating. From /var/log/auth.log,
Oct 5 09:10:15 tickets sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=raub
Ok, probably the question should be what is going on, but the most important question to me is: how can I have sudo be a bit more verbose on its logging, telling me what it used to check if the user can sudo?