Results 1 to 2 of 2

Thread: making sudo more verbose (sudo & ldap)

  1. #1
    Join Date
    Aug 2007
    Ubuntu 12.04 Precise Pangolin

    making sudo more verbose (sudo & ldap)

    I need to be able to have sudo check in ldap if a given user can sudo. What is the best way to do that? Currently what I have been doing is to add something like

    sudoers_base ou=SUDOers,dc=domain,dc=com

    to /etc/ldap/ldap.conf (as ubuntu does not have a ldap.conf.sudo file) and then install sudo-ldap (after removing plain sudo). I also have sudoers defined in /etc/nsswitch.conf,

    passwd:         files ldap
    shadow:         files ldap
    group:          files ldap
    sudoers:        ldap files
    But, when I try it out,

    raub@tickets:~$ sudo pwd
    [sudo] password for raub:
    raub is not in the sudoers file.  This incident will be reported.
    It does not seem to be authenticating. From /var/log/auth.log,

    Oct  5 09:10:15 tickets sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=raub
    Ok, probably the question should be what is going on, but the most important question to me is: how can I have sudo be a bit more verbose on its logging, telling me what it used to check if the user can sudo?

  2. #2
    Join Date
    Sep 2006
    Ubuntu 14.04 Trusty Tahr

    use group level access

    Can you get group information rather than check users, have sudo check groups.

    %dirusers ALL=(ALL) NOPASSWD: /bin/pwd

    What do you have in /etc/pam.d/sudo ?
    That's probably where you can increase logging, since it seems it was pam that made the log entry.

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts