Hi,
I have configured ldap manually on solaris 10/11 machine with below entries:
# ldapclient list |grep sudo
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=SUDOers,dc=exm,dc=ple,dc=com
# cat /etc/nsswitch.conf |grep -i sudo
sudoers: files ldap
#
But groups available in LDAP server sudoers are not able to login to the client machine(Sudo is not taking from LDAP server). Could anyone help on this?
Thanks in advance!
Regards,
Sridaran G
Where, precisely, is your sudoers file?
Why this capitalization?
ou=SUDOers
Can you clarify what Solaris release you are using (cat /etc/release), tell where did you get the sudo command and also post the output of "sudo -V" ?
1 Like
Hello Jim,
sudoers file path : /etc/sudoers on the client machine.
The capitalization is because: on LDAP we defined the sudoers OU as : SUDOers which is why we mentioned the same in the client machine as well.
Hello Jlliagre,
I have attached the release and sud -V
details.
Also please find the sudo -l output from solaris 10 machine:
# sudo -l
LDAP Config Summary
===================
host server.example.com
port -1
ldap_version 3
sudoers_base ou=SUDOers,dc=exm,dc=ple,dc=com
binddn cn=xxxx,ou=xxxx,ou=xxxx,dc=exm,dc=ple,dc=com
bindpw xxxxxx
timelimit 120000
ssl start_tls
tls_checkpeer (yes)
tls_certfile /var/ldap/cert8.db
===================
sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL)
sudo: ldapssl_clientauth_init(/var/ldap, NULL)
sudo: ldapssl_init(server.example.com, 389, 0)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120000
sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()
sudo: ldap_sasl_bind_s(): Confidentiality required
User root may run the following commands on this host:
(ALL) ALL
#
Ok, so you have both Solaris 10 and Solaris 11 machines. Is the issue present on both or only the Solaris 10 ones?
Yes, issue persist on both solaris 10 and 11.
Is ldap authentication properly configured and functional on both servers?
Yes its functional also ldap users,groups are listing and authenticating.
also I am able to do ldap search of sudo using below command which is displaying all the sudo entries in ldap.
ldapsearch -h server.example.com -LLL -x -b dc=exm,dc=ple,dc=com objectclass=Sudorole