Ubuntu
sudo package

sudo-ldap not authing with ldap

Asked by bubble1975

Hi all,

I'm trying to get sudo-ldap working but am having issues. I'm using Fiesty (I think). I installed sudo-ldap and all required dependencies. I was able to get LDAP to work while authing users to log in on this box, so that part works. I added the line:

SUDOERS_BASE ou=SUDOers,dc=mydomain,dc=com

to /etc/ldap/ldap.conf. Also added:

sudoers: files ldap

to /etc/common.*

/etc/pam.d/sudo is there and looks right, pam stuff looks OK, it is authing SSH and local logins against the LDAP server.

I know it CAN work, as we have several RedHat machines using LDAP based sudo against the LDAP server, I just don't know what I'm missing for Ubuntu... I can't seem to find Ubuntu specific docs for this config. I tried following the docs for the source distribution, and that got it working on RedHat, but Ubuntu is still not working... Can anyone point me in the right direction?

weiler@host:~$ sudo -s
sudo: uid 15000 does not exist in the passwd file!
weiler@host:~$ 2009-07-11 16:13:19 Failed to get user name for uid 15000

UID 15000 is my uid number for user 'weiler', and I can 'id' and 'finger' myself and that works:

weiler@host:~$ id weiler
uid=15000(weiler) gid=1000(ldapusers) groups=1000(ldapusers)
weiler@host:~$

Why can't sudo see it?

Thanks a million!

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu sudo Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
bubble1975 (bitscrubber-deactivatedaccount) said : 		#1

> Also added:
>
> sudoers: files ldap
>
> to /etc/common.*

Whoops, typo. I added 'sudoers: files ldap' to /etc/nsswitch.conf.
/etc/common.* just has the LDAP configs in it.

Revision history for this message
Derek White (d-man97) said : 		#2

Googling "LDAP sudo ubuntu" brings up 2 bug reports and 2 ubuntuforum threads - any of that help? "sudo-ldap Ubuntu" seems to bring up similar articles. What about hitting "More results..." to bring up more?

Maybe try setting the sudoers_debug option to be more verbose and check your logs?

Hopefully someone with ldap experience will come across this and provide more help.

Revision history for this message
Derek White (d-man97) said : 		#3

http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP

Maybe that can also help shed some light onto where your problem lies...

Good luck!

Revision history for this message
bubble1975 (bitscrubber-deactivatedaccount) said : 		#4

Thanks Derek!

Yeah, I saw those links as well, no joy. An strace on the sudo command
almost looks like it's not even reading in the ldap configuration, I see
no attempt to contact the LDAP server. I do see that on a working
sudo/LDAP config on RedHat. I'm completely confused... Any clue who
built the Ubuntu implementation for sudo-ldap for ubuntu? :(

Derek White wrote:
> Your question #76719 on sudo in ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/sudo/+question/76719
>
> Derek White requested for more information:
> http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP
>
> Maybe that can also help shed some light onto where your problem lies...
>
> Good luck!
>

Revision history for this message
Derek White (d-man97) said : 		#5

Ah, just file a bug! That'll get there attention - and maybe annoy them. Be sure to mark it as a security issue, too! ;)

Did you try the various readme files that came with the package? Using synaptic you can see all the files installed and where they are in your filesystem. Sometimes these Debian packages have special needs - kinda like a retard. They also routinely include default config files near the readme's, usually in /usr/share/<program> or something similar. you've got to be just missing something... Does the Ubuntu system have access/rights to access the LDAP server?

As a last resort you just copy a working conf file from the RedHat machines & cross your fingers!

Revision history for this message
Derek White (d-man97) said : 		#6

Seems to be maintained by same group as the sudo package: http://packages.qa.debian.org/s/sudo.html

I hope someone will wander by with more knowledge. Take care.

Can you help with this problem?

Provide an answer of your own, or ask bubble1975 for more information if necessary.

To post a message you must log in.