LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-12-2017, 02:09 AM   #1
Ankushkalra
Member
 
Registered: Jan 2017
Posts: 48

Rep: Reputation: Disabled
Give sudo access to existing LDAP user


Hi,

I have all rhel7.1 servers in my envirement.

I have configured LDAP Server successfully in my envirement using below link.

http://www.learnitguide.com/2016/01/...-on-rhel7.html

I want to give sudo access to existing LDAP users.

If i create new LDAP user and new group ,i can successfully give sudo access on client machine by making entry of users group in /etc/sudoers file in client machine.

But if i am changing existing users group and then updating LDAP database using "ldapadd" it is giving me error as below.

# ldapadd -c -w <ldappassword> -D cn=Manager,dc=my-domain,dc=com -f /root/users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=my-domain,dc=com"
ldap_add: Already exists (68)

adding new entry "uid=ldapuser2,ou=People,dc=my-domain,dc=com"
ldap_add: Already exists (68)

[root@localhost migrationtools]# ldapmodify -c -w <ldappassword> -D cn=Manager,dc=my-domain,dc=com -f /root/users.ldif
ldapmodify: modify operation type is missing at line 2, entry "uid=ldapuser1,ou=People,dc=my-domain,dc=com"
ldapmodify: modify operation type is missing at line 23, entry "uid=ldapuser2,ou=People,dc=my-domain,dc=com"

I am getting this error in both /root/users.ldif and /root/groups.ldif

Please note: Both above files has correct gidNumber with respect to users.


Please suggest
UN!Xr0ck$

Last edited by Ankushkalra; 05-12-2017 at 02:11 AM.
 
Old 05-13-2017, 03:54 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,294

Rep: Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698
Quote:
ldapmodify: modify operation type is missing at line 2, entry "uid=ldapuser1,ou=People,dc=my-domain,dc=com"
ldapmodify: modify operation type is missing at line 23, entry "uid=ldapuser2,ou=People,dc=my-domain,dc=com"

I am getting this error in both /root/users.ldif and /root/groups.ldif

Please note: Both above files has correct gidNumber with respect to users.
Please post the ldif files so e could help you on this.

Apparently you either miss the "Changetype ..." statement or the attribute(s) to be added/changed in your ldif files, but we can't tell if that's the case since you didn't post them.
You can take a look here to see how to use ldif files with ldapmodify.

Regards
 
Old 05-13-2017, 08:22 AM   #3
Ankushkalra
Member
 
Registered: Jan 2017
Posts: 48

Original Poster
Rep: Reputation: Disabled
Hi,

Thanks for your reply.

File are as below.


[root@localhost migrationtools]# ./migrate_group.pl /root/group /root/groups.ldif
[root@localhost migrationtools]# cat /root/groups.ldif
adn: cn=ldapuser1,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword: {crypt}x
gidNumber: 1003

dn: cn=ldapuser2,ou=Group,dc=my-domain,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword: {crypt}x
gidNumber: 1002

Initially when i created user "ldapuser1" by default it has group with gidNumber 1001,but now i want to change it to gidNumber 1003 to give sudo access.Please help.

Last edited by Ankushkalra; 05-13-2017 at 08:37 AM.
 
Old 05-13-2017, 12:23 PM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,294

Rep: Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698
Quote:
Initially when i created user "ldapuser1" by default it has group with gidNumber 1001,but now i want to change it to gidNumber 1003 to give sudo access.Please help.
Did you bother look at the link I've posted?
It's straight forward to create the appropriate ldif file in order to change an attribute value.

For example create the following test.ldif:
Code:
dn: cn=ldapuser1,ou=Group,dc=my-domain,dc=com
changetype: modify
replace: gidNumber
gidNumber: 1003
Then run:
Code:
ldapmodify -vx -D cn=Manager,dc=my-domain,dc=com -W -f test.ldif

Last edited by bathory; 05-14-2017 at 03:45 AM.
 
Old 05-13-2017, 11:47 PM   #5
Ankushkalra
Member
 
Registered: Jan 2017
Posts: 48

Original Poster
Rep: Reputation: Disabled
Thanks for the reply!!!!

I did read the URL but was confused what to write exactly in ldif file.

Anyways thanks for the clarification!!!

Should i have to do this(Modify gidNumber) in both "users.ldif" and "groups.ldif" and then "ldapmodify" on both files??.
 
Old 05-14-2017, 03:57 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,294

Rep: Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698Reputation: 1698
Quote:
Should i have to do this(Modify gidNumber) in both "users.ldif" and "groups.ldif" and then "ldapmodify" on both files??.
You don't understand how it works. You should create a ldif file for every user you want to change its gidNumber.

Quote:
Originally Posted by Ankushkalra View Post
If i create new LDAP user and new group ,i can successfully give sudo access on client machine by making entry of users group in /etc/sudoers file in client machine.

But if i am changing existing users group and then updating LDAP database using "ldapadd" it is giving me error as below.
According to what you've posted in your OP, users.ldif/groups.ldif are already updated with the new gidNumber value, so the new users you create do have the correct gidNumber.
The problem is with the old existing users as you mentioned above. So you have to use ldapmodify to change their attributes.
 
1 members found this post helpful.
Old 05-17-2017, 02:54 AM   #7
Ankushkalra
Member
 
Registered: Jan 2017
Posts: 48

Original Poster
Rep: Reputation: Disabled
Hi,

Thanks for the reply!!!.

I successfully imported users group on LDAP client and thereafter given sudo access.

Thanks a ton for the help!!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Could sudo be modified to give instant root access? Ihatewindows522 Linux - Security 6 04-07-2015 07:41 AM
[SOLVED] Using sudo to give read access to specific directory savona Linux - Security 14 01-31-2012 11:50 AM
[SOLVED] Add existing unix user to existing LDAP antoniemail Linux - Server 7 06-23-2010 01:54 PM
Give root access to user's display + sudo problems Ephracis Linux - General 12 01-12-2006 12:25 AM
How to give a valid shell to an existing user? J_Szucs *BSD 4 07-18-2002 09:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration