Forum. I am still battling getting ldap running. I am running cenos5 and have openldap 2.3.43.
Now I have the the users authorizing from the ldap directory over TLS without any issues. The next step is to have the sudo command consult the directory. I made the appropriate changes but I keep on getting
pam_unix(sudo:auth): conversation failed. In pam.d/sudo it consults system.auth which I think is working because I am able to login using pam_ldap.so. I am concerned that sudo for pam is for some reason not able to bind to the ldap server or I have fudged up the ldif files for sudoers. I don't see any access to the sudoers ou in the server logs either. An direction anyone could give me would be awesome. To clarify. The direction is to have admin123 user be able to sudo any command and for the ldap server to look and see weather the admin123 dude is actually authorized to sudo.
Code:
-bash-3.2$ sudo bash
sudo: ldap_sasl_bind_s(): Can't contact LDAP server
[sudo] password for admin123:
Sorry, try again.
[sudo] password for admin123:
Sorry, try again.
[sudo] password for admin123:
sudo: 2 incorrect password attempts
-bash-3.2$
Code:
Client Side Erors:
Mar 12 16:25:51 mail sudo: pam_unix(sudo:auth): conversation failed
Mar 12 16:25:51 mail sudo: pam_unix(sudo:auth): auth could not identify password for [admin123]
Mar 12 16:25:51 mail sudo: admin123 : 2 incorrect password attempts ; TTY=pts/1 ; PWD=/home/admin123 ; USER=root ; COMMAND=/bin/bash
Code:
##LDIF FILE FOR making the OU and defaults and a rule for wheel netgroup members to do sudo
#SUDOers, test.com
dn: ou=SUDOers,dc=test,dc=com
objectClass: top
objectClass: organizationalUnit
description: SUDO Configuration Subtree
ou: SUDOers
# defaults, SUDOers, test.com
dn: cn=defaults,ou=SUDOers,dc=test,dc=com
cn: defaults
sudoOption: ignore_dot
sudoOption: !mail_no_user
sudoOption: !root_sudo
sudoOption: log_host
sudoOption: logfile=/var/log/sudolog
sudoOption: !syslog
sudoOption: timestamp_timeout=10
sudoOption: ignore_local_sudoers
objectClass: top
objectClass: sudoRole
description: Default sudoOptions
dn: cn=%wheel,ou=SUDOers,dc=test,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
Code:
###LDIF FILE FOR admin123 sudo authorized User###
dn: cn=%admin123,ou=sudoers,dc=test,dc=com
objectClass: top
objectClass: sudoRole
cn: %admin123
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
#sudoOption: !authenticate
sudoUser: %admin123
sudoUser: admin123
Code:
###/etc/nsswitch.conf###
sudoers: ldap files
Code:
####/etc/pam.d/system-auth####
auth sufficient pam_ldap.so use_first_pass
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Code:
###/etc/ldap.conf###
# The distinguished name of the search base.
base dc=test,dc=com
binddn uid=ldap-auth-user,ou=People,dc=test,dc=com
bindpw PA$$WD
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_check_service_attr no
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
use_sasl no
sasl_secprops maxssf=0
uri ldaps://ldapserver/
tls_cacert /etc/openldap/cacerts/ldapscert.pem
pam_password md5
sudoers_base ou=sudoers,dc=test,dc=com