Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

  1. #11
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Ok, this is stupid. The way i gave my users sudo was:

    when you login with a user account that is based in ldap and type in "groups", the user account will show that it belongs to an LDAP based group (naturaly). Now if that group is in the sudoers file the system will alow him to excecute the sudo command. If i used a group "admin" the system gave me problems, so i just created a new group in my ldap database called SUDOers (posix group) and added it to the sudoers file (sudo visudo).
    I'm sorry to say this but this tutorial is meaningless (i dont know much about LDAP so if the way you did it gives you something more, i apoloagise).
    I DO however admire you, as you tried to help me in my struggles to set this thing up .

    P.S. I am still in the process of testing my theory, and it has worked so far. I will write here again with further results.

  2. #12
    Join Date
    Mar 2010
    Location
    Silicon Valley
    Beans
    7
    Distro
    Ubuntu 9.10 Karmic Koala

    Unhappy Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    I have attempted to recreate your error, and cannot

    It appears that we have reached the end of both our understanding with what is going on here.

  3. #13
    Join Date
    Apr 2010
    Beans
    22
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Indeed. Well, i'm not going to bother myself with this anymore since i got what i wanted. One more question tough, since i've been having problems with an "admin" group. This is not a big issue, i just want to know hy it happens. If i put my LDAP user into a posix group named "admin", when i log in it says that i'm logged in with a different user than the one i actually am. I still get into that users home dir, it just shows that i'm not that user, but a local admin user called "pgmadmin" (pgmadmin@myip$) that is in a local group called "admin". Why is this happening?

    P.S. In step 2 / IV you are missing a leading slash at the end (~sudoWork/cn\=sudo.ldif)

  4. #14
    Join Date
    Nov 2009
    Beans
    1

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Hello everyone,

    I need some help setting a ldap cache proxy on ubuntu.

    I have configured the ldap.conf for proxy and using the pcache overlay. I also have some filters and proxy templates set to save the searches.

    However it seems that the server is not caching the search results.

    I'm testing this using a ldap explorer connected to the proxy and using wireshark set to capture packets in the tcp port 389.

    From what i can see the proxy is always connecting to the ldap server to retrieve the responses, instead of using the local cache.

    Another problem i have is the binding between the cache proxy and the ldap server. It never seems to work.

    I would appreciate if someone could help me. Thanks in advance.

    Currently i have the following ldap.conf

    include /etc/ldap/schema/core.schema
    include /etc/ldap/schema/cosine.schema
    include /etc/ldap/schema/inetorgperson.schema
    include /etc/ldap/schema/nis.schema
    pidfile /var/run/slapd/slapd.pid
    argsfile /var/run/slapd/slapd.args
    loglevel none
    modulepath /usr/lib/ldap
    moduleload back_ldap
    moduleload pcache
    moduleload back_bdb
    ################
    # LDAP Backend #
    ################
    database ldap
    uri "ldap://192.168.1.62"
    suffix "dc=example,dc=com"
    rootdn "dc=example, dc=com"
    rootpw example
    #tls start
    #idassert-bind bindmethod=simple binddn="cn=admin,dc=example,dc=net" credentials="example" mode=none
    #idassert-authzFrom "dn.subtree:dc=example,dc=com"

    overlay pcache
    proxycache bdb 1000000 1 1000 1200
    directory /var/lib/ldap/cache
    cachesize 1000000

    index uid eq
    index mail eq
    index uidNumber eq
    index gidNumber eq
    index memberUid eq
    index description eq
    index sn eq
    index cn pres,eq,sub
    #index cn eq
    index objectclass,queryid eq

    proxycachequeries 1000000
    proxyattrset 0 uid mail cn sn givenName objectClass
    proxytemplate (uid=) 0 600
    proxytemplate (cn=) 0 600
    proxytemplate (objectclass=) 0 600
    proxytemplate (mail=) 0 600
    proxytemplate (&(uid=)(mail=)) 0 600
    proxytemplate (&(uid=)(objectclass=)) 0 600
    proxytemplate (&(objectclass=)(cn)) 0 600
    proxytemplate (&(uid=)(objectclass=)(cn)) 0 600

  5. #15
    Join Date
    Sep 2009
    Beans
    4

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Hi hackajar,

    I follow your instructions in the howto yesterday.

    At the point to play in the sudoMaster.ldif-file via ldapadd, the util breaks with the Errormsg:

    Code:
    slapd[12873]: Entry (ou=SUDOers,dc=linformatik,dc=lan), attribute 'serviceSearchDescriptor' not allowed
    When comment out the line with the "serviceSearchDesciptor" the ldapadd-utility play in the sudoMaster.ldif without an error.

    I think it was not a good idea to comment out the line while now i can`t do a sudo command.

    When i try a sudo-command, i`ve become following errormsg:

    Code:
    sudo: ldap_sasl_bind_s(): Can't contact LDAP server
    sudo: no valid sudoers sources found, quitting
    Can you help me, my System to repair, so that i can do sudo-commands.

    I have no idea to rollback to the localy sudo and no idea to set sudo-ldap correctly that i can do commands as sudo-user.

    Changes i must done in the LDAP-Configuration can I do as cn=admin.

    Finally, your How To is very helpfully for me.

    Thanks

  6. #16
    Join Date
    Sep 2010
    Beans
    1

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Hello
    I follow the Tutorial an all comands work fine.
    But now, if i want to sudo with a ldap user i get this error:
    Code:
    sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
    Can anyone help?

  7. #17
    Join Date
    Nov 2010
    Beans
    3
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    This tutorial seems to be awesome!

    But I had the same problem with the attribute not being able to be added.

    So I relied on a script that could pull the members from a group in LDAP and insert it on the sudoers files.

    Each time I add or remove, the script sync a new sudoers files with the new users.

    Thank You.

  8. #18
    Join Date
    Aug 2009
    Location
    US
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOW TO: Configure LDAP for SUDO Support on Ubuntu Server 9.10 (Karmic Koala)

    Quote Originally Posted by Squeazer View Post
    Oh wow, great guide! Altough i'm having a problem with step 3 of step 3 . When i tipe in
    Code:
    ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x
    (i deleted ~/ in every entry since it gave me problems) It gives me this result:
    Code:
    ldapadd -f sudoWork/sudoMaster.ldif -h 127.0.0.1 -D cn=admin,dc=prvi-dijak,dc=si -W -x 
    Enter LDAP Password:
    ldapadd: attributeDescription "dn": (possible missing newline after line 7, entry "ou=SUDOers,dc=prvi-dijak,dc=si"?)
    adding new entry "ou=SUDOers,dc=prvi-dijak,dc=si"
    ldap_add: Type or value exists (20)
            additional info: objectClass: value #0 provided more than once
    I successfully followed the tutorial for setting up SAMBA + LDAP: http://tuxnetworks.blogspot.com/2010...cid-short.html. I made minor mods to allow notebook users to login with locally cached LDAP database while working remotely.

    I got the same errors as mentioned above by Squeazer. This is after changing the ldapadd method used to match the tutorial. Not sure if this helps, but the issue may rely in the details of how this was setup.

    I had to reinstall sudo & used Squeaker's SUDOers LDAP group. All is fine with this much simpler method. The only real disadvantage is that I must add this to all LDAP clients in order to use the group, but with only a handful of clients, the pain is minimal.
    Last edited by cvalentine02; March 22nd, 2011 at 03:34 AM.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •