Sudo not working on LDAP client machine

Sridaran · October 21, 2016, 9:46am

Hi,

I have configured ldap manually on solaris 10/11 machine with below entries:

# ldapclient list |grep sudo
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=SUDOers,dc=exm,dc=ple,dc=com
# cat /etc/nsswitch.conf |grep -i sudo
sudoers:        files ldap
#

But groups available in LDAP server sudoers are not able to login to the client machine(Sudo is not taking from LDAP server). Could anyone help on this?

Thanks in advance!

Regards,
Sridaran G

jim_mcnamara · October 21, 2016, 10:23pm

Where, precisely, is your sudoers file?

Why this capitalization?

ou=SUDOers

jlliagre · October 22, 2016, 8:04pm

Can you clarify what Solaris release you are using (cat /etc/release), tell where did you get the sudo command and also post the output of "sudo -V" ?

Sridaran · October 24, 2016, 1:46am

Hello Jim,

sudoers file path : /etc/sudoers on the client machine.
The capitalization is because: on LDAP we defined the sudoers OU as : SUDOers which is why we mentioned the same in the client machine as well.

Sridaran · October 24, 2016, 7:38am

Hello Jlliagre,

I have attached the release and sud -V details.

Also please find the sudo -l output from solaris 10 machine:

# sudo -l
LDAP Config Summary
===================
host             server.example.com
port             -1
ldap_version     3
sudoers_base     ou=SUDOers,dc=exm,dc=ple,dc=com
binddn           cn=xxxx,ou=xxxx,ou=xxxx,dc=exm,dc=ple,dc=com
bindpw           xxxxxx
timelimit        120000
ssl              start_tls
tls_checkpeer    (yes)
tls_certfile     /var/ldap/cert8.db
===================
sudo: ldapssl_clientauth_init(/var/ldap/cert8.db, NULL)
sudo: ldapssl_clientauth_init(/var/ldap, NULL)
sudo: ldapssl_init(server.example.com, 389, 0)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120000
sudo: start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()
sudo: ldap_sasl_bind_s(): Confidentiality required
User root may run the following commands on this host:
    (ALL) ALL
#

jlliagre · October 24, 2016, 10:33am

Ok, so you have both Solaris 10 and Solaris 11 machines. Is the issue present on both or only the Solaris 10 ones?

Sridaran · October 25, 2016, 10:26am

Yes, issue persist on both solaris 10 and 11.

jlliagre · October 25, 2016, 5:58pm

Is ldap authentication properly configured and functional on both servers?

Sridaran · October 26, 2016, 8:02am

Yes its functional also ldap users,groups are listing and authenticating.

also I am able to do ldap search of sudo using below command which is displaying all the sudo entries in ldap.
ldapsearch -h server.example.com -LLL -x -b dc=exm,dc=ple,dc=com objectclass=Sudorole