Centos – RHEL4/CentOS4 setting up SUDOERS from LDAP

centosldapsudo

I built the server based on this guide, but i skipped the samba part. (CentOS 5.x Samba Domain Controller With LDAP Backend)

I added in sudoers support based on this guide. (Sudoers LDAP Manual)

I've rebuilt the system 7 or 8 times with different settings, tweaks, all that good stuff so i have a pretty solid understanding of LDAP/Slapd and its configuration.

We're integrating our new LDAP server with our systems, however some of those servers that can't be quite updated to the latest version of CentOS yet, and I've hit a bit of a roadblock.
And I've written "launch" scripts for our nodes to speed up the turn up process a bit. Below is a script that autoconfigures my CentOS machines to be a member of the ldap node.

CentOS5 Script

#!/bin/sh
#
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=10.0.32.5 --ldapbasedn="dc=MYDOMAIN" --update
echo 'sudoers:    files ldap' >> /etc/nsswitch.conf
echo 'base dc=MYDOMAIN
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
uri ldap://10.0.32.5/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
sudoers_base    ou=SUDOers,dc=MYDOMAIN
' > /etc/ldap.conf

Now, running this doesn't work on CentOS 4 servers, I had to make a few changes.

CentOS4 Script

authconfig --enableldap --enableldapauth --ldapserver=10.0.32.5 --ldapbasedn="dc=MYDOMAIN"
echo 'sudoers:    files ldap' >> /etc/nsswitch.conf
echo 'base dc=MYDOMAIN
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
uri ldap://10.0.32.5/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
sudoers_base    ou=SUDOers,dc=MYDOMAIN
' > /etc/ldap.conf

Now, this almost works. It joins the LDAP server and my user logins work. I had to disable enablemkhomedir which made me sad, but I'll survive.

The primary difference is for some reason my CentOS4 servers don't work with my SUDOers setup, however those configs work fine on CentOS5 servers, that doesn't really surprise me, but I do need to figure out some kind of work around.

Does anyone know the solution or can point me in the right direction to make get ldap-based-sudoers to work with CentOS4 servers?

Best Answer

The default CentOS/RHEL4 sudo does not support LDAP. You would need to get a sudo that has that support.

http://www.sudo.ws/sudo/download.html has RHEL4 rpms that support LDAP but I haven't used them.

Related Topic