Difference between revisions of "OpenLDAP/sudo"

From Secure Computing Wiki
Jump to: navigation, search
(initial sudo commit)
 
(ldap.conf config parameter)
Line 27: Line 27:
 
#password      sufficient      pam_krb5.so            no_warn try_first_pass
 
#password      sufficient      pam_krb5.so            no_warn try_first_pass
 
password        required        pam_unix.so            no_warn try_first_pass</pre>
 
password        required        pam_unix.so            no_warn try_first_pass</pre>
 +
 +
== ldap.conf ==
 +
Add the following lines to your /usr/local/etc/ldap.conf file:
 +
 +
<pre># SUDO Configuration
 +
sudoers_base ou=SUDOers,dc=claimlynx,dc=com</pre>

Revision as of 13:12, 29 July 2008

This page will help you get sudo on FreeBSD using OpenLDAP for config storage and authentication.

This is a work in progress. DO NOT FOLLOW THIS UNTIL IT'S FINISHED!!!!!!!!!

PAM Config

Edit the /etc/pam.d/system file to read as follows:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

ldap.conf

Add the following lines to your /usr/local/etc/ldap.conf file:

# SUDO Configuration
sudoers_base ou=SUDOers,dc=claimlynx,dc=com