Sudo and LDAP

[esoteriskdk]

My box is using full PAM authentication via LDAP, so the only user to exist locally on the machine is root. Everything works fine (except a small bug with ooffice), but sudo isn't working at all. Whenever I try to do one it says

[remi2402]

sudo has its own entry in /etc/pam.d/

Make sure that this one also uses ldap for user auth.

In doubt, I think it's safe to include system-auth or login just like most of the other modules

Hope that helps

Rémi

[esoteriskdk]

This is my /etc/pam.d/sudo

[Ardvaark]

I am having the same problem, and my guess for now is that it's a linking issue of some kind - namely that the getpwid() function is not being linked to the one that goes through the NSS subsystem by the sudo build process. My reasoning?

Well, I created a little test program:

[Ardvaark]

Okay, I'm still not sure what's going on, but it seems other things have had problems with LDAP library version dependencies.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325120

While this is for pam_ldap.... ?

[Ardvaark]

Okay, I've created a bug. We'll see where it ends up.

sudo fails to find LDAP users, despite NSS (seemingly?) working correctly

[remi2402]

That's really weird because I have about 15 boxes using LDAP and sudo for root access and everything's been working great for about a year.

Could you post your /etc/nsswitch.conf here so I can compare with mine ?

EDIT: post getent passwd too.

Rémi

[esoteriskdk]

/etc/nsswitch.conf

[Ardvaark]

The only thing I changed was passwd, shadow, and group to files ldap.

[remi2402]

In my nsswitch.conf, I have "ldap" before "files".

Maybe when "files" fails to find a user, it does not go to ldap to try and find it there.

Also, do you use a group for sudo or user names ?

Rémi

[esoteriskdk]

If I put ldap before files, the box fails to boot further than the kernel startup, this goes for both the clients and the server. I thought it was because it's trying to authenticate the root user through LDAP, before network or anything else is set up. So I'm surprised that somebody has that working. Could you please post your "rc-update -s" ?

I've tried with both group and users for sudoers and neither works.

[gatty1]

I just stumbled across exactly the same problem after updating OpenLDAP etc. last night. Re-emerging sudo without the ldap USE flag worked for me:

[esoteriskdk]

It sure did!

Without the "ldap" useflag, sudo now works perfect via ldap. I even re-emerged with the flag just to be sure and it failed again.

Quite amusing, I know that sudo can use an LDAP database instead of /etc/sudoers, maybe this is what the ldap flag implies. Yet it shouldn't break the PAM authentication.

Going to make a note on the bugpage.

[Ardvaark]

If I emerge with -ldap, sudo works correctly with regards to the passwd file, but it no longer reads the sudoers information from LDAP.

For example, with -ldap:

[remi2402]

on my boxes sudo has been built with +pam and +ldap.

Now if you say your box freezes at boot, it's probably because you have a root user in your ldap tree. Although it's doable, it's not a good idea to have one. That's one of the reasons I used sudo in the first place. Global rights but local root passwords for every box.

[mroch]

sudo works for me with and without the ldap USE flag. However, groups don't work because the system groups come before the LDAP groups:

mroch@ldap ~ $ getent group | grep wheel
wheel::10:root
wheel:x:10:root,mroch

As you can see, I'm a member of the second group which isn't being used. I'm going to see what happens if I delete the system groups... but before I do, anyone have a reason not to?

[mroch]

[remi2402]

mroch, that's not a good idea 'cause if your ldap is down, then your box is useless.

I suggest swapping the positions of "files" and "ldap" in /etc/nsswitch.conf. This way you can have your ldap server override local groups, should you need it.

Rémi

[Ardvaark]

The root cause problem has been found. There's a description, patch, and updated ebuild in the bug report.