Join Log in
Score:0
avatar Server

What am I missing to setup sudo access with openldap?

cf flag
thistleknot

I'm using lxd/lxc containers (Oracle Linux 8) to rapidly deploy the environment (so if you have lxd setup, you can modify the ip scheme to match lxd's bridge subnet / DNS and then paste the code into separate lxc containers).

I can authenticate as my test user "adam", but when I attempt to setup sudo for adam it tells me

adam may not run sudo on <hostname>

As far as I can tell, I have everything configured correctly [for sudo].

LDAP: https://www.server-world.info/en/note?os=CentOS_7&p=openldap / https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/

SSSD: https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/

SUDO: https://kifarunix.com/how-to-configure-sudo-via-openldap-server/

LDAP Container

lxc stop ldapmaster --force; lxc delete ldapmaster; lxc launch images:oracle/8/amd64 ldapmaster; lxc exec ldapmaster passwd; lxc console ldapmaster

paste into LDAP container

ldaphostname="ldapmaster"
domain="example"
suffix="com"
olcRootPW=1234
userpw=1234
binddnpw=1234
mgrpw=1234
DNS1=192.168.3.1
DNS2=192.168.3.2
LDAPMASTERIP=10.175.235.220
SSSDIP=10.175.235.210
NETMASKIP=255.255.255.0
GATEWAYIP=10.175.235.1


cat  <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=$LDAPMASTERIP
NETMASKIP=$NETMASKIP
GATEWAY=$GATEWAYIP
DNS1=$DNS1
DNS2=$DNS2
ONBOOT=yes
HOSTNAME=`cat /proc/sys/kernel/hostname`
TYPE=Ethernet
MTU=
DHCP_HOSTNAME=`cat /proc/sys/kernel/hostname`
IPV6INIT=yes
EOF

ifdown eth0

ifup eth0

cat  <<EOF > /etc/yum.repos.d/appstream.repo
[appstream]
name=Oracle Linux
baseurl=http://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

EOF

cat  <<EOF > /etc/yum.repos.d/base.repo
[base]
name=Oracle Linux
baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/3/baseos/base/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
proxy=http://www-proxy.web.boeing.com:31060
EOF

cat  <<EOF > /etc/yum.repos.d/powertools.repo
[powertools]
name=Oracle Linux
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

EOF

echo "10.175.235.220 $ldaphostname $ldaphostname.$domain.$suffix" >> /etc/hosts

#https://www.server-world.info/en/note?os=CentOS_7&p=openldap
yum -y install openldap-servers openldap-clients firewalld mlocate man openssl hostname sssd-tools openssh-server nss-pam-ldapd nano --nobest

cat <<EOF > /etc/sudo-ldap.conf
binddn cn=Manager,dc=$domain,dc=$suffix
bindpw 1234
ssl start_tls
tls_cacertfile = /etc/pki/tls/cacert.crt
sudoers_base = ou=SUDOers,DC=$domain,DC=$suffix
tls_checkpeer yesuri ldaps://$ldaphostname:636
bind_timelimit 5
timelimit 15
EOF

updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
chown ldap. /var/lib/ldap/DB_CONFIG 
systemctl enable --now sshd
systemctl enable --now slapd 

cat <<EOF > chrootpw.ldif 
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $(slappasswd -s $olcRootPW)
EOF

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/ldapserver.key -out /etc/pki/tls/ldapserver.crt -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=$ldaphostname"

chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}

cat > add-tls.ldif << 'EOL'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt
EOL

cat <<EOF > /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=$domain,dc=$suffix
URI     ldaps://$ldaphostname:636
#ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/pki/tls/ldapserver.crt

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
sudoers_base ou=SUDOers,dc=$domain,dc=$suffix
SUDOERS_DEBUG 1
EOF

cat << 'EOF' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOF

cp /usr/share/doc/sudo/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/sudo.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

mkdir /var/lib/openldap
chown ldap. /var/lib/openldap

cat > rootdn.ldif << 'EOL'
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 42949672960
olcSuffix: dc=$domain,dc=$suffix
olcRootDN: cn=Manager,dc=$domain,dc=$suffix
olcRootPW: secret
olcDbDirectory: /var/lib/openldap
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
EOL

ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif


cat <<EOF > chdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=$domain,dc=$suffix" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=$domain,dc=$suffix

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=$domain,dc=$suffix

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $(slappasswd -s $olcRootPW)

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=$domain,dc=$suffix" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=$domain,dc=$suffix" write by * read
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=System,dc=$domain,dc=$suffix" read
  by * none
olcAccess: to dn.subtree="ou=System,dc=$domain,dc=$suffix" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=$domain,dc=$suffix" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

cat <<EOF > basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section

dn: dc=$domain,dc=$suffix
objectClass: top
objectClass: dcObject
objectclass: organization
o: $domain $suffix
dc: $domain

dn: cn=Manager,dc=$domain,dc=$suffix
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=System,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: System

dn: ou=Users,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: ou=Groups,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: Groups

EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f basedomain.ldif

systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service={ldap,ldaps} --permanent 
firewall-cmd --reload

cat <<EOF > sudoersou.ldif
dn: ou=SUDOers,dc=$domain,dc=$suffix
objectClass: organizationalUnit
ou: SUDOers
description: $domain-$suffix LDAP SUDO Entry
EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f sudoersou.ldif

cat <<EOF > users_n_groups.ldif

dn: cn=readonly,ou=System,dc=$domain,dc=$suffix
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: $(slappasswd -s $binddnpw)
description: Bind DN user for LDAP Operations

dn: uid=adam,ou=Users,dc=$domain,dc=$suffix
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: $(slappasswd -s $userpw)
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
ldapadd -x -w $olcRootPW -D "cn=Manager,dc=$domain,dc=$suffix" -f users_n_groups.ldif

#cvtsudoers -b ou=SUDOers,dc=$domain,dc=$suffix -o sudoers.ldif /etc/sudoers

cat <<EOF > sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=$domain,dc=$suffix
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f sudoers.ldif

cat <<EOF > indsudoers.ldif
dn: cn=sudo,ou=SUDOers,dc=$domain,dc=$suffix
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: adam
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f indsudoers.ldif

#ldappasswd -s $olcRootPW -w $userpw -D "cn=Manager,dc=$domain,dc=$suffix" -x "uid=adam,ou=Users,dc=$domain,dc=$suffix"

#ldappasswd -s $olcRootPW -w $binddnpw -D "cn=Manager,dc=$domain,dc=$suffix" -x "cn=readonly,ou=System,dc=$domain,dc=$suffix"

SSSD Container

lxc stop ldap-sssd-try2 --force; lxc delete ldap-sssd-try2; lxc launch images:oracle/8/amd64 ldap-sssd-try2; lxc exec ldap-sssd-try2 passwd; lxc console ldap-sssd-try2;

paste into SSSD container

ldaphostname="ldapmaster"
domain="example"
suffix="com"
olcRootPW=1234
userpw=1234
binddnpw=1234
mgrpw=1234
DNS1=192.168.3.1
DNS2=192.168.3.2
LDAPMASTERIP=10.175.235.220
SSSDIP=10.175.235.210
NETMASKIP=255.255.255.0
GATEWAYIP=10.175.235.1

cat  <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=$SSSDIP
NETMASKIP=$NETMASKIP
GATEWAY=$GATEWAYIP
DNS1=$DNS1
DNS2=$DNS2
ONBOOT=yes
HOSTNAME=`cat /proc/sys/kernel/hostname`
TYPE=Ethernet
MTU=
DHCP_HOSTNAME=`cat /proc/sys/kernel/hostname`
IPV6INIT=yes
EOF

ifdown eth0

ifup eth0

cat  <<EOF > /etc/yum.repos.d/appstream.repo
[appstream]
name=Oracle Linux
baseurl=http://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF

cat  <<EOF > /etc/yum.repos.d/base.repo
[base]
name=Oracle Linux
baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/3/baseos/base/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
proxy=http://www-proxy.web.boeing.com:31060
EOF

cat  <<EOF > /etc/yum.repos.d/powertools.repo
[powertools]
name=Oracle Linux
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF

echo "10.175.235.220  $ldaphostname $ldaphostname.$domain.$suffix" >> /etc/hosts

yum install -y hostname openssh-server nmap openssl sssd sssd-tools oddjob-mkhomedir authselect openldap-clients openldap-servers sssd-tools nss-pam-ldapd bind-utils nano mlocate --nobest

systemctl enable --now sshd

cat <<EOF > /etc/sudo-ldap.conf
binddn cn=Manager,dc=$domain,dc=$suffix
bindpw 1234
ssl start_tls
tls_cacertfile = /etc/pki/tls/cacert.crt
sudoers_base = ou=SUDOers,DC=$domain,DC=$suffix
tls_checkpeer yesuri ldaps://$ldaphostname:636
bind_timelimit 5
timelimit 15
EOF

cat <<EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = LDAP

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/LDAP]
ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=$domain,dc=$suffix
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://$ldaphostname:636
ldap_chpass_uri = ldaps://$ldaphostname:636
#ldap_default_bind_dn = cn=Manager,dc=$domain,dc=$suffix
#ldap_default_authtok = $olcRootPW
ldap_default_bind_dn = cn=readonly,ou=System,dc=$domain,dc=$suffix
#doesn't seem to matter if I use mapldap_default_authtok_type
#mapldap_default_authtok_type = password
ldap_default_authtok = $binddnpw
ldap_user_search_base = ou=Users,DC=$domain,DC=$suffix
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,DC=$domain,DC=$suffix
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
EOF

authselect select sssd --force

chown -R root: /etc/sssd

chmod 600 -R /etc/sssd

systemctl enable --now sssd

cat  <<EOF > /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be $suffix readable but not $suffix writable.

BASE    dc=$domain,dc=$suffix
URI     ldaps://$ldaphostname:636
#SUDOers_BASE    ou=SUDOers,dc=ldapmaster,dc=ldapmaster,dc=com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT      /etc/pki/tls/cacert.crt

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
sudoers_base ou=SUDOers,dc=$domain,dc=$suffix
SUDOERS_DEBUG 1
EOF

openssl s_client -connect $ldaphostname:636 < /dev/null -showcerts | openssl x509 -text | sed -ne '
   /-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p      # got the range, ok
   /-END CERTIFICATE-/q                            # bailing out soon as the cert end seen
' > /etc/pki/tls/cacert.crt

echo "sudoers : ldap files" >> /etc/nsswitch.conf

systemctl restart sssd

systemctl enable --now oddjobd

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

systemctl restart oddjobd

If I query using ldapsearch

domain="example"
suffix="com"
export SUDOERS_BASE=ou=SUDOers,DC=$domain,DC=$suffix

ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,DC=$domain,DC=$suffix -W -x adam

I get

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,DC=example,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: adam
#

# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com

# adam, SUDOers, example.com
dn: cn=adam,ou=SUDOers,dc=example,dc=com

# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

If I run

domain="example"
suffix="com"
export SUDOERS_BASE=ou=SUDOers,DC=$domain,DC=$suffix

ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,DC=$domain,DC=$suffix -w 1234 -x

I get

# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,DC=example,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com
objectClass: organizationalUnit
ou: SUDOers
description: example-com LDAP SUDO Entry

# sudo, SUDOers, example.com
dn: cn=sudo,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: adam
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3
237
0 + 0
Score:0
avatar Server
cf flag
thistleknot

problem was an extra space after /etc/nsswitch.conf

echo "sudoers: ldap files sss" >> /etc/nsswitch.conf

once that was corrected, had to install

libsss_sudo
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.