3

I have a problem with my LDAP configuration on SUSE Linux Enterprise Server 12.

As many of you know, the ldap.conf file has been replaced with sssd.conf and a couple of other conf files like nsswitch.conf.

I want to have authentication through LDAP, picking users from a specific OU. I also need to get the definition for sudoers through LDAP. I have never worked with sssd before.

My current NSS configuration looks as follows:

passwd: files ldap
shadow: files ldap
group:  files ldap

hosts:  files dns
networks:       files

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files
passwd_compat:  files
group_compat:   files
sudoers:        ldap files [I added this line]

And here is my sssd.conf:

[sssd]
config_file_version = 2
services = nss, pam
domains = *****
sbus_timeout = 30

[nss]
filter_users = root
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]

[domain/GuH]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_user_object_class = posixAccount
debug_level = 20
#access_provider = ldap
ldap_uri = ldap://******.de
ldap_search_base = o=***
create_homedir = truei
ldap_tls_cacert = /etc/sssd/certs/*******.pem
ldap_tls_cacertdir = /etc/sssd/certs
ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=********,o=guh
ldap_default_authtok_type = *******
ldap_default_authtok = *********
ldap_user_member_of = *********
ldap_group_name = cn=*******,ou=*******,ou=******,o=******

Just assume the * are put in correctly.

Also, is there anything to do in a PAM config file? I have not seen anyone address it yet.

stefan0xC
  • 1,508
  • 10
  • 20
Meerkat
  • 211
  • 1
  • 10
  • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html <- it's a redhat doc, but should apply to any distro – phemmer Sep 14 '16 at 12:30
  • unfortunatly it only works until some redhead specific points come into play like "authconfig" – Meerkat Sep 15 '16 at 10:36
  • Eh? `authconfig` is mentioned nowhere on the page. – phemmer Sep 15 '16 at 12:00
  • But on other pages (if you open the dropdown menu at the bottom) that are required for my setup to function. – Meerkat Sep 15 '16 at 13:12
  • Not as it pertains to this question. All the sudo information is on that page. – phemmer Sep 15 '16 at 14:42
  • It needs mre thn that to have the auth work trough ldap. Thats why i posted my config files. I Also asked about pam, wich the link does not adress at all. However I figured a few of those things out so its okay – Meerkat Sep 15 '16 at 14:51

1 Answers1

0

This walkthrough worked for me on Ubuntu 14.04. Also, the Redhat page referenced in the comments doesn't appear to reference authconfig anymore. The highlights are:

  • If your LDAP doesn't include one, import a sudoers scheme (e.g. schema.ActiveDirectory is required by Active Directory)
  • Create rules following the sudoers-ldap manpage (in Active Directory, using a tool like ADSI Edit)
  • Update etc/nsswitch.conf to include sss among the sudoers =
  • Update etc/sssd/sssd.conf to include:
    • sudo among the services =
    • a sudo_provider = line (in my case ad for Active Directory, but possibly ldap)
    • an empty [sudo] section (no configs are required, but Redhat asserts that this triggers the proper configuration of sudo support)

A lot of folks have run into issues due to bugs in various parts of the stack so see this answer and this question if you have any issues. FWIW these instructions got me enough debug information to confirm that the rules were flowing all the way to sudo, specifically:

  • Add the following lines to /etc/sudo.conf:

    Debug sudo /var/log/sudo_debug.log all@debug
Debug sudoers.so /var/log/sudo_debug.log all@debug

  • Run the sudo command as the user you want to debug

claytond
  • 161
  • 1
  • 7