CoreOS ldap sudo access
176 views
Skip to first unread message
Tarikur Rahaman
Nov 22, 2017, 5:46:22 AM11/22/17
to CoreOS User
Hi I have configured coreOS as a LDAP client. and I'm successfully logged in . But my user is not getting sudo access. But in my ubuntu 14.04 server (ldap client). I'm able to get sudo access with the same user.
It looks like I haven't put configuration in the correct location. can any one tell me where should i place my ldap configuration to get user sudo access.
CoreOS sudo -V:
Sudoers file grammar version 45
Sudoers path: /usr/share/baselayout/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
UBUNTU 14.04 sudo -V:
Sudoers file grammar version 42
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Please help me out.
Thanks in Advance.
Brandon Philips
Nov 28, 2017, 3:18:41 PM11/28/17
to CoreOS User
Can you just use normal posix groups pulled in by sssd and sudo?
Tarikur Rahaman
Nov 28, 2017, 3:20:35 PM11/28/17
to CoreOS User, Brandon Philips
How do I configure that?
From: coreo...@googlegroups.com <coreo...@googlegroups.com> on behalf of Brandon Philips <brandon...@coreos.com>
Sent: Wednesday, November 29, 2017 2:18:41 AM
To: CoreOS User
Subject: Re: CoreOS ldap sudo access
Sent: Wednesday, November 29, 2017 2:18:41 AM
To: CoreOS User
Subject: Re: CoreOS ldap sudo access
--
You received this message because you are subscribed to a topic in the Google Groups "CoreOS User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/coreos-user/V6WueHWeT0E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to a topic in the Google Groups "CoreOS User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/coreos-user/V6WueHWeT0E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Brandon Philips
Nov 28, 2017, 3:35:56 PM11/28/17
to Tarikur Rahaman, CoreOS User
something like `%mygroup ALL=(ALL:ALL) ALL` added via visudo where mygroup is a group assigned to a user via LDAP.
--
CTO, CoreOS, Inc
Tectonic is enterprise Kubernetes
Tarikur Rahaman
Dec 7, 2017, 10:14:59 AM12/7/17
to Brandon Philips, CoreOS User
Hi Brandon
If you run any command like below in any server without coreos it will return you below output:
$ sudo -V | grep 'ldap.conf path:'
ldap.conf path: /etc/ldap.conf.sudo
But if you run this in any coreos instance it will return you nothing. I believe coreos sudo is configured without ldap as shown below:
Sudo version 1.8.20p2
Configure options: --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-cros-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --docdir=/usr/share/doc/sudo-1.8.20_p2 --htmldir=/usr/share/doc/sudo-1.8.20_p2/html --libdir=/usr/lib64 --enable-zlib=system --with-editor=/usr/libexec/editor --with-env-editor --with-plugindir=/usr/lib64/sudo --with-rundir=/var/run/sudo --with-secure-path=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin --with-vardir=/var/db/sudo --without-linux-audit --without-opie --disable-gcrypt --disable-nls --disable-openssl --without-insults --without-all-insults --without-ldap_conf_file --without-ldap --with-pam --without-skey --without-selinux --without-sendmail
Sudoers policy plugin version 1.8.20p2
Is there any other way around?
Reply all
Reply to author
Forward
0 new messages