tag:blogger.com,1999:blog-297187840164530151.post4961307556803443775..comments2023-05-11T11:00:40.029-04:00Comments on Eating Security: Setting up OpenLDAP for centralized accountsNathaniel Richmondhttp://www.blogger.com/profile/16307898781407130985noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-297187840164530151.post-30773251052179243982009-01-14T09:21:00.000-05:002009-01-14T09:21:00.000-05:00J.P., thanks for the comment.To troubleshoot, star...J.P., thanks for the comment.<BR/><BR/>To troubleshoot, start by checking your logs. Depending on your distribution or OS, /var/log/messages and /var/log/secure may be useful. Keep in mind that some distributions do not have LDAP support in the sudo package by default, for instance RHEL4. <BR/><BR/>Finally, enable LDAP sudo debugging in /etc/ldap.conf.<BR/><BR/>I address some of this, including <A HREF="http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html#sudo" REL="nofollow">enabling sudo debugging</A>, in my second <A HREF="http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html" REL="nofollow">LDAP post</A>. I also have a third one that focuses more on <A HREF="http://eatingsecurity.blogspot.com/2008/11/openldap-security.html" REL="nofollow">LDAP security</A>.Nathaniel Richmondhttps://www.blogger.com/profile/16307898781407130985noreply@blogger.comtag:blogger.com,1999:blog-297187840164530151.post-79696693615818013752009-01-13T18:48:00.000-05:002009-01-13T18:48:00.000-05:00Thanks for a great article.I was wondering if you ...Thanks for a great article.<BR/><BR/>I was wondering if you could post your /etc/ldap.conf and /etc/openldap/ldap.conf files on your client, as set up in this article.<BR/><BR/>I'm having issues getting sudo to work, and I feel as though it is configured correctly on the server side (schema is correct, sudo nodes added to the db, etc), I think the client just doesn't know where to look.<BR/><BR/>I can log in to the client with an LDAP user, but if I sudo -s, it just hangs. Doesn't ask for a password, just hangs. I'm assuming it is still checking the local sudoers file, and obviously not finding that user.<BR/><BR/>In terms of flow, is the client doing something similar to the nsswitch.conf? In other words, if the sudoer isn't local, it goes over to the LDAP server to look for them? <BR/><BR/>Any help you could provide me would be amazing.<BR/><BR/>Thanks again.J.P. Dohertyhttps://www.blogger.com/profile/16274959202194375354noreply@blogger.comtag:blogger.com,1999:blog-297187840164530151.post-83918954008424936522008-09-22T09:54:00.000-04:002008-09-22T09:54:00.000-04:00Gavin, thanks, I fixed it to point that out.Gavin, thanks, I fixed it to point that out.Nathaniel Richmondhttps://www.blogger.com/profile/16307898781407130985noreply@blogger.comtag:blogger.com,1999:blog-297187840164530151.post-23592538469531803492008-09-19T16:20:00.000-04:002008-09-19T16:20:00.000-04:00by dn="cn=Manager,dc=security,dc=test,dc=com" writ...by dn="cn=Manager,dc=security,dc=test,dc=com" write<BR/><BR/>doesn't do anything as Manager is the rootdn user and bypasses all ACLs.<BR/><BR/>Thought you'd like to know.Gavin Henryhttps://www.blogger.com/profile/07062376151053632710noreply@blogger.com