From owner-freebsd-questions@FreeBSD.ORG Mon Nov 8 21:16:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6367F1065670 for ; Mon, 8 Nov 2010 21:16:35 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id E6B698FC22 for ; Mon, 8 Nov 2010 21:16:34 +0000 (UTC) Received: by bwz3 with SMTP id 3so5319768bwz.13 for ; Mon, 08 Nov 2010 13:16:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=ftZNN1Py9T23+nD8JN4pg+nCzsIM5J/l21yXuoxpw/o=; b=Dg48L4DTHQSS0/T0j4fCz4LTOQ6J9fcYQQltLWXZshCPuklFeuDmYdQVGMCd5fJrnE Cflte8KQnWcdpo/37erxJHEFuTHV38zA66dsAUGwpFeieWM9QDK4ow0bOGCRf6+vgslt mSIVG3V/LyNQnLVLNvfZ2JCURIhane443PQR4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=qV9swmhHLqf9BDiThhSbXlGWQ4WQfQ64BA6Y3+7sr14WWH/bXZASyTmeyNcK1PkKKS w//P2aR8JVe1d8h5gkwu+0cM9ERStmrbhPf8dBxk1aJ+++VQut66JNHas3zSR+ttoEFT 1P3aznqvsx+ZtP6pPpYzpnbbgXvb76r39IeLQ= MIME-Version: 1.0 Received: by 10.204.53.193 with SMTP id n1mr5548314bkg.3.1289250840095; Mon, 08 Nov 2010 13:14:00 -0800 (PST) Received: by 10.204.81.153 with HTTP; Mon, 8 Nov 2010 13:14:00 -0800 (PST) Date: Mon, 8 Nov 2010 16:14:00 -0500 Message-ID: From: bluethundr To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 Subject: pam services under ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2010 21:16:35 -0000 Hello List I am attempting to setup various pam modules to consult our new LDAP services in order to do what it needs to do. My LDAP server is FreeBSD but the clients are CentOS... I have setup my /etc/pam.d sudo file on the client (for example) this way in the attempt to accomplish this via LDAP: [root@VIRCENT03:~]#cat /etc/pam.d/sudo #%PAM-1.0 auth include system-auth auth required pam_ldap.so account include system-auth account required pam_ldap.so password include system-auth password required pam_ldap.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_ldap.so but even tho the user is part of the %wheel group under LDAP it is unable to sudo to any other account (including root). If I try to sudo this is what happens: [bluethundr@VIRCENT03:~]#sudo bash [sudo] password for bluethundr: bluethundr is not in the sudoers file. This incident will be reported. It would appear that sudo support for ldap is compiled in: [root@VIRCENT03:~]#ldd $(which sudo)| grep -i ldap libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00552000) This is how I setup my ldap.conf file [root@VIRCENT03:~]#cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://ldap.acadaca.net/ BASE dc=acadaca,dc=net TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net In my openldap logs on the LDAP server there appears to be no activity when I sudo. however in the secure logs on the client I do.. Nov 8 16:05:34 VIRCENT03 su: pam_unix(su-l:session): session opened for user root by bluethundr(uid=500) Nov 8 16:05:37 VIRCENT03 su: pam_unix(su-l:session): session opened for user bluethundr by bluethundr(uid=0) Nov 8 16:05:44 VIRCENT03 sudo: bluethundr : user NOT in sudoers ; TTY=pts/5 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash I do see other events in secure.log that appear to be pam successes however. am i interpreting this correctly that at least part of the system is communicating with pam on the ldap server? thanks -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 Share and enjoy!!