i believe in centos 5.x and redhat they have ldap suppor built in: http://kbase.redhat.com/faq/FAQ_80_12975.shtm I am not sure how to include ldif file in the directory server, and also once its included how to manage the sudoers? let me give you some more background on the environmnt: we have the following environments: Production Staging Test Load Testing Development Each of the environments have various number of servers ranging from 30 and goign upto 150+. we have three main categories of users Linuxops = Linux Sys admins SuperUsers = Developers who have sudo rights (ALL) on dev/load test environments, but only for less, cat, more, command for Test/Staging/Production environments (this is mainly for log and config file viewing). Dev = Developers who have full sudo rights on development and only access development environment I am restricting access to each environemnt via SSHD_CONFIG variable allow groups. I have the following groups linuxops prodlogs staginglog testlogs ltlogs dev What I would need is to someone configure ldap with sudo, so that if you were in the correct groups you can login to which ever environment and have the correct privilages. The problem I Will have is with superusers. They would be members of the dev group (so have all rights on dev env) but then I would be added to prodlogs etc... so they have restricted sudo on prod. However since there would only be one sudo file in ldap, sshd would let them logon to production server via prodlogs group, and sudo would find the dev group and give them full rights!!!! I would appreciate any advice in configuring this setup, currently I have written a wiki to cover the installation of Centos/fedora DS and configure it for central authentication with Shared home directories, this would be the final icing on the cake if I could get it working: Please have a look at the following link to get the idea of what I have done to get ldap up and running: http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server What I really need help is would sudo under ldap in the above scenario. I hope I have given enough information, if you require more information please just say I will provide ASAP. Regards Kashif 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com> > This is how I've always done it: > > I usually just pull the src.rpm and add ldap in the .spec file, > recompile then I can add it to standard build image / kickstart > > Then add something like: > sudoers_base ou=SUDOers,dc=example,dc=com > > to /etc/ldap.conf and that should be it > > > Cheers, > > Malcolm > > On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote: > > when you say add sudo base? are you talking about ldif file? > > > > Is there no way to continue to use the original ldif file? > > > > > > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com> > > Redhat sudo doesn't support ldap, recompile it with ldap > > support and add > > the sudoers base to /etc/ldap.conf and it should work then, > > annoying! > > > > Cheers > > > > Malcolm > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > Hello all, > > > > > > I have successfully setup FDS on Centos 5.2, and manage to > > get users > > > signing on without any issues. However if I edit the sudoers > > file to > > > allow a group on ldap use sudo, the sudo command does not > > see the > > > members of the group or I think the group itself? > > > > > > I have no idea why this is: > > > > > > if I run the command 'id' as the given user you can clear > > see the > > > group memberships, however if I do: getent group linuxops I > > see: > > > > > > linuxops:*:6000: > > > > > > with no members??? however SSHD AllowGroups works? I have > > configured > > > sshd to only allow members of the linxops group to login and > > this > > > works fine? so my question is why is sudo behaving > > differently? > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080909/3f8e720f/attachment.html