<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"> <div> <div>Rob -</div> <div>Here’s the test configurations/data when I manipulate the BINDDN/BINDPW fields to get get both AUTH and SUDO to work in Linux 5.5. I have three questions below that I would like to get your comments on or see what you may recommend on this. I’m seriously perplexed on this as to why its working this way … Please advise. Thanks!</div> <div><br> </div> <div>**************************************************************</div> <div> <div>AUTH successful on login; SUDO fails with the message listed </div> <div>below !!</div> <div>**************************************************************</div> <div>[mjsmith@chi-infra-idm-client2 ~]$ sudo -l</div> <div>sudo: ldap_sasl_bind_s(): Server is unwilling to perform</div> <div>[sudo] password for mjsmith:</div> <div>Sorry, user mjsmith may not run sudo on chi-infra-idm-client2.</div> <div>*****************************************************</div> <div><br> </div> <div>*****************************************************</div> <div># grep -iv ‘#’ /etc/ldap.conf</div> <div>*****************************************************</div> <div>base dc=linuxcccis,dc=com</div> <div>uri ldap://chi-infra-idm-p1.linuxcccis.com/</div> <div>binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com</div> <div>bindpw secret_pass</div> <div>timelimit 15</div> <div>bind_timelimit 5</div> <div>idle_timelimit 3600</div> <div>nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm</div> <div>pam_password md5</div> <div>sudoers_base ou=SUDOers,dc=linuxcccis,dc=com</div> <div><br> </div> <div>*************************************************</div> <div>User Account AUTH and SUDO works when</div> <div>commenting both the binddn and bindpw fields !!</div> <div>*************************************************</div> <div>vi /etc/ldap.conf … Comment these two fields …</div> <div>#binddn uid=admin,cn=users,cn=compat,dc=linuxcccis,dc=com</div> <div>#bindpw secret_pass</div> <div><br> </div> <div>************************************************</div> <div>This file unchanged during the above testing !!</div> <div>************************************************</div> <div>/etc/sudo-ldap.conf:</div> <div>binddn uid=sudo,cn=sysaccounts,cn=etc,dc=linuxcccis,dc=com</div> <div>bindpw secret_pass</div> <div>ssl start_tls</div> <div>tls_cacertfile /etc/ipa/ca.crt</div> <div>tls_checkpeer yes</div> <div>bind_timelimit 5</div> <div>timelimit 15</div> <div>uri ldap://chi-infra-idm-p1.linuxcccis.com</div> <div>sudoers_base ou=SUDOers,dc=linuxcccis,dc=com</div> <div><br> </div> <div>QUESTIONS:</div> <div>1) What BINDN account needs to be specified to allow the BINDDN/BINDPW to work for SUDO?</div> <div>2) Why does the AUTH work when setting values in the BINDDN/BINDPW, but SUDO then fails?</div> <div>3) If I leave BINDDN/BINDPW blank, what security risks are being introduced by leaving it that way?</div> </div> <div> <div style="background-color: rgb(255, 255, 255); font-family: Tahoma; font-size: 13px;"> <p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <br> </p> </div> </div> </div> <div><br> </div> <span id="OLK_SRC_BODY_SECTION"> <div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"> <span style="font-weight:bold">From: </span>Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br> <span style="font-weight:bold">Date: </span>Friday, November 20, 2015 at 1:42 PM<br> <span style="font-weight:bold">To: </span>Jeffrey Stormshak <<a href="mailto:jstormshak@cccis.com">jstormshak@cccis.com</a>>, Jakub Hrozek <<a href="mailto:jhrozek@redhat.com">jhrozek@redhat.com</a>>, "<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br> <span style="font-weight:bold">Subject: </span>Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question<br> </div> <div><br> </div> <div> <div> <div>Jeffrey Stormshak wrote:</div> <blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"> <div>Rob -</div> <div>Thank you for the suggestions as I finally have them implemented. However, the twist to this saga, is that it only works when I bind to LDAP as "anonymous" vs. setting an actual "binddn" and "bindpw". I truly do not want to keep it this way. With that being said, may I ask what should be the proper binddn account to use so that auth and sudo will work?</div> </blockquote> <div><br> </div> <div>I'm not sure how it works at all anonymously as it should return nothing</div> <div>in that case.</div> <div><br> </div> <div>IIRC a sudo system account user is pre-created you just need to set the</div> <div>password:</div> <div><br> </div> <div>$ ldappasswd -x -S -W -h ipaserver.ipadocs.org -ZZ -D "cn=Directory</div> <div>Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com</div> <div><br> </div> <div>rob</div> <div><br> </div> <blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"> <div></div> <div>Once again, thank you for the help getting me further down the configuration trail. !!</div> <div></div> <div>-----Original Message-----</div> <div>From: Jeffrey Stormshak </div> <div>Sent: Tuesday, November 17, 2015 10:49 AM</div> <div>To: Jeffrey Stormshak; Rob Crittenden; Jakub Hrozek; <a href="mailto:freeipa-users@redhat.com"> freeipa-users@redhat.com</a></div> <div>Subject: RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question</div> <div></div> <div>I meant "did" forget. Silly typo on my behalf...</div> <div></div> <div>-----Original Message-----</div> <div>From: <a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>] On Behalf Of Jeffrey Stormshak</div> <div>Sent: Tuesday, November 17, 2015 10:44 AM</div> <div>To: Rob Crittenden; Jakub Hrozek; <a href="mailto:freeipa-users@redhat.com"> freeipa-users@redhat.com</a></div> <div>Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question</div> <div></div> <div>Thanks Rob! Sorry, I didn't forget to mention what was the message. It basically stated the message listed below.</div> <div></div> <div>Sorry, user plmoss may not run sudo on client_server</div> <div></div> <div>Let me try your suggestions and see if that helps lead me down the right path. Once again, thanks for this feedback. Oh how I miss using the "ipa-client" I used on all of my higher Linux versions. Talk about saving time cycles and deployment timeframes. Oh well. </div> <div></div> <div>-----Original Message-----</div> <div>From: Rob Crittenden [<a href="mailto:rcritten@redhat.com">mailto:rcritten@redhat.com</a>]</div> <div>Sent: Tuesday, November 17, 2015 9:51 AM</div> <div>To: Jeffrey Stormshak; Jakub Hrozek; <a href="mailto:freeipa-users@redhat.com"> freeipa-users@redhat.com</a></div> <div>Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question</div> <div></div> <div>Jeffrey Stormshak wrote:</div> <blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"> <div>Thank you for the response. If I may, can you expand more on the sudoers response?</div> <div><br> </div> <div>More details from my configuration ...</div> <div>The current setup for me is that all my sudoers rules/commands and groups are defined and stored in the RHEL 7.1 IDM LDAP. When I create the /etc/sudo-ldap.conf (snippet below), I'm still not able to get it working on these 5.5 Linux clients.</div> <div><br> </div> <div>uri ldap://ldap-server-name/</div> <div>sudoers_base ou=SUDOers,dc=EXAMPLE,dc=COM binddn </div> <div>uid=sudo,cn=sysaccounts,cn=etc,dc=EXAMPLE,dc=COM</div> <div>bindpw secret_pass</div> <div>bind_timelimit 5</div> <div>timelimit 15</div> <div><br> </div> <div>In your experience, am I missing some other component? PAM Modules? Reference in the /etc/nsswitch.conf?</div> </blockquote> <div></div> <div>It's hard to know what to recommend since you haven't said what isn't working.</div> <div></div> <div>Your nssswitch.conf should have:</div> <div></div> <div>sudoers: files ldap</div> <div></div> <div>You probably want to add sudoers_debug 2 to your sudo-ldap.conf file too while debugging.</div> <div></div> <div>You almost certainly want to use TLS here:</div> <div></div> <div>ssl start_tls</div> <div>tls_cacertfile /etc/ipa/ca.crt</div> <div>tls_checkpeer yes</div> <div></div> <div>You also need your nisdomainname set to your domain to do group or host-based sudo.</div> <div></div> <div>You also need to add this to your sssd.conf:</div> <div></div> <div>ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com</div> <div></div> <div>Stick it after ipa_server in the config file.</div> <div></div> <div>Use sudo -l to test.</div> <div></div> <div>rob</div> <blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"> <div><br> </div> <div>-----Original Message-----</div> <div>From: <a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> </div> <div>[<a href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>] On Behalf Of Jakub Hrozek</div> <div>Sent: Tuesday, November 17, 2015 2:56 AM</div> <div>To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a></div> <div>Subject: Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question</div> <div><br> </div> <div>On Mon, Nov 16, 2015 at 08:58:37PM +0000, Jeffrey Stormshak wrote:</div> <blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"> <div>Greetings ---</div> <div>I'm in the process of deploying the RHEL 7.1 IDM into my enterprise and we have a great number of Oracle Linux 5.5 servers. Upon research from Oracle (ULN Channels) the Linux "ipa-client" was only released for 5.6 and then upstream. I went ahead and configured the PAM/LDAP authentication method for 5.5 and so far its working as expected. With that history being said ...</div> <div><br> </div> <div>I'm having difficulty getting TLS and "sudoers" to be managed by the RHEL IDM to these 5.5 clients. Can anyone share some insight or documentation details on how to solve these two problems prior to my mass deployment? Any insight is greatly appreciated. Thanks!</div> </blockquote> <div><br> </div> <div>Not sure about TLS but sudoers should be managed with their ldap </div> <div>config (there's no sssd, hence to sssd sudo integration..)</div> <div><br> </div> <div>--</div> <div>Manage your subscription for the Freeipa-users mailing list:</div> <div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div> <div>Go to <a href="http://freeipa.org">http://freeipa.org</a> for more info on the project</div> <div><br> </div> </blockquote> <div></div> <div></div> <div>--</div> <div>Manage your subscription for the Freeipa-users mailing list:</div> <div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div> <div>Go to <a href="http://freeipa.org">http://freeipa.org</a> for more info on the project</div> <div></div> </blockquote> <div><br> </div> <div><br> </div> </div> </div> </span> </body> </html>