I have a quick work around currently, what you can do is create a local group and add ldap user to the local group. Sudo will accept the group including users. sudo will also accept a list of users from ldap, it just doesnt acknowledge members for groups in FDS? 2008/9/9 Kashif Ali <snake007uk at gmail.com> > i believe in centos 5.x and redhat they have ldap suppor built in: > > http://kbase.redhat.com/faq/FAQ_80_12975.shtm > > I am not sure how to include ldif file in the directory server, and also > once its included how to manage the sudoers? > > let me give you some more background on the environmnt: > > we have the following environments: > > Production > Staging > Test > Load Testing > Development > > Each of the environments have various number of servers ranging from 30 and > goign upto 150+. > > we have three main categories of users > > Linuxops = Linux Sys admins > SuperUsers = Developers who have sudo rights (ALL) on dev/load test > environments, but only for less, cat, more, command for > Test/Staging/Production environments (this is mainly for log and config file > viewing). > Dev = Developers who have full sudo rights on development and only access > development environment > > > I am restricting access to each environemnt via SSHD_CONFIG variable allow > groups. I have the following groups > > linuxops > prodlogs > staginglog > testlogs > ltlogs > dev > > What I would need is to someone configure ldap with sudo, so that if you > were in the correct groups you can login to which ever environment and have > the correct privilages. > > The problem I Will have is with superusers. They would be members of the > dev group (so have all rights on dev env) but then I would be added to > prodlogs etc... so they have restricted sudo on prod. However since there > would only be one sudo file in ldap, sshd would let them logon to production > server via prodlogs group, and sudo would find the dev group and give them > full rights!!!! > > I would appreciate any advice in configuring this setup, currently I have > written a wiki to cover the installation of Centos/fedora DS and configure > it for central authentication with Shared home directories, this would be > the final icing on the cake if I could get it working: > > Please have a look at the following link to get the idea of what I have > done to get ldap up and running: > > http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server > > > What I really need help is would sudo under ldap in the above scenario. I > hope I have given enough information, if you require more information please > just say I will provide ASAP. > > Regards > > Kashif > > > > > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com> > >> This is how I've always done it: >> >> I usually just pull the src.rpm and add ldap in the .spec file, >> recompile then I can add it to standard build image / kickstart >> >> Then add something like: >> sudoers_base ou=SUDOers,dc=example,dc=com >> >> to /etc/ldap.conf and that should be it >> >> >> Cheers, >> >> Malcolm >> >> On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote: >> > when you say add sudo base? are you talking about ldif file? >> > >> > Is there no way to continue to use the original ldif file? >> > >> > >> > 2008/9/9 Malcolm Amir Hussain-Gambles <malcolm at saafinternational.com> >> > Redhat sudo doesn't support ldap, recompile it with ldap >> > support and add >> > the sudoers base to /etc/ldap.conf and it should work then, >> > annoying! >> > >> > Cheers >> > >> > Malcolm >> > >> > >> > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: >> > > Hello all, >> > > >> > > I have successfully setup FDS on Centos 5.2, and manage to >> > get users >> > > signing on without any issues. However if I edit the sudoers >> > file to >> > > allow a group on ldap use sudo, the sudo command does not >> > see the >> > > members of the group or I think the group itself? >> > > >> > > I have no idea why this is: >> > > >> > > if I run the command 'id' as the given user you can clear >> > see the >> > > group memberships, however if I do: getent group linuxops I >> > see: >> > > >> > > linuxops:*:6000: >> > > >> > > with no members??? however SSHD AllowGroups works? I have >> > configured >> > > sshd to only allow members of the linxops group to login and >> > this >> > > works fine? so my question is why is sudo behaving >> > differently? >> > > >> > >> > > -- >> > > Fedora-directory-users mailing list >> > > Fedora-directory-users at redhat.com >> > > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080910/472a70e2/attachment.html
