Re: [OCLUG-Tech] sudo with ldap and active directory question

Subject: Re: [OCLUG-Tech] sudo with ldap and active directory question
From: Dumitru Ciobanu <ciobanu [ dot ] dumitru [ at ] gmail [ dot ] com>
Date: Fri, 29 Jun 2012 09:53:17 -0400

Hi Stephen,

Here is what I have in the /etc/ldap.conf

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember msSFU30PosixMember

It looks to me that it is mapped to the right object.

But
# getent passwd cioband
CIOBAND:*:10000:10000:Ciobanu, Dumitru:/home/cioband:/bin/sh
# ll -d /home/cioband
drwxr-xr-x 4 CIOBAND unixusers 1024 Jun  9 12:21 /home/cioband

Everything is happy with it though except sudo.
In /etc/sudoers I have to have both the lower and uppper case name
User_Alias      ADMINS = CIOBAND, cioband

Not sure why it's doing that to me.

BR,
Dumitru


On 6/28/12, Stephen Gregory <oclug [ at ] kernelpanic [ dot ] ca> wrote:
> On Thu, Jun 28, 2012 at 12:14 AM, Dumitru Ciobanu
> <ciobanu [ dot ] dumitru [ at ] gmail [ dot ] com> wrote:
>> Now going over Stephen's suggestion that users are mapped to the wrong
>> field, well I'm not sure which field should they be setup to; I
>> thought the username is the one that matters but I guess I could be
>> wrong.
>
> You need to map the sAMAaccountName on AD to uid. The mappings are in
> /etc/ldap.conf, or /etc/nslcd.conf depending on which ldap you are
> using. If you have nslcd running then you are probably using
> /etc/nslcd.conf. Have a look at look at this gentoo document for
> configuring ldap.conf
>
> http://en.gentoo-wiki.com/wiki/Active_Directory_Authentication_using_LDAP#Attribute_Mapping
>
> For nslcd.conf you should be able to slightly tweak the above
> following this man page:
>
> http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5
>
>
> One way to see what your usernames look like is the 'getent' command.
> On most systems this just returns the passwd file. On systems using
> ldap or nis authentication getent returns the remote users as well.
>
> $ getent passwd [user|uid]
>
>
>
>
>
> --
> sg
>


-- 
=====================

Dumitru Ciobanu
ciobanu [ dot ] dumitru [ at ] gmail [ dot ] com

references

[OCLUG-Tech] sudo with ldap and active directory question, Dumitru Ciobanu
Re: [OCLUG-Tech] sudo with ldap and active directory question, Rob Echlin
Re: [OCLUG-Tech] sudo with ldap and active directory question, Dumitru Ciobanu
Re: [OCLUG-Tech] sudo with ldap and active directory question, Stephen Gregory

message navigation

previous by date: Re: [OCLUG-Tech] sudo with ldap and active directory question
previous by thread: Re: [OCLUG-Tech] sudo with ldap and active directory question
next by thread: [OCLUG-Tech] If we had a party, would anyone come?