[CentOS] pam_ldap login under centOS

bluethundr bluethundr at gmail.com
Mon Nov 8 21:10:07 UTC 2010

Hello List

 I am attempting to setup various pam modules to consult our new LDAP
services in order to do what it needs to do.

 I have setup my /etc/pam.d sudo file (for example) this way in the
attempt to accomplish this via LDAP:

 [root at VIRCENT03:~]#cat /etc/pam.d/sudo
auth       include	system-auth
auth       required     pam_ldap.so
account    include	system-auth
account    required     pam_ldap.so
password   include	system-auth
password   required     pam_ldap.so
session    optional	pam_keyinit.so revoke
session    required	pam_limits.so
session    required     pam_ldap.so

but even tho the user is part of the %wheel group under LDAP it is
unable to sudo to any other account (including root). If I try to sudo
this is what happens:

[bluethundr at VIRCENT03:~]#sudo bash
[sudo] password for bluethundr:
bluethundr is not in the sudoers file.  This incident will be reported.

It would appear that sudo support for ldap is compiled in:

[root at VIRCENT03:~]#ldd $(which sudo)| grep -i ldap
	libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00552000)

This is how I setup my ldap.conf file

[root at VIRCENT03:~]#cat /etc/openldap/ldap.conf
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example, dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#DEREF		never
URI ldap://ldap.acadaca.net/
BASE dc=acadaca,dc=net
TLS_CACERTDIR /etc/openldap/cacerts
sudoers_base ou=sudoers,ou=Services,dc=acadaca,dc=net

In my openldap logs on the LDAP server there appears to be no activity
when I sudo. however in the secure logs on the client I do..

Nov  8 16:05:34 VIRCENT03 su: pam_unix(su-l:session): session opened
for user root by bluethundr(uid=500)
Nov  8 16:05:37 VIRCENT03 su: pam_unix(su-l:session): session opened
for user bluethundr by bluethundr(uid=0)
Nov  8 16:05:44 VIRCENT03 sudo: bluethundr : user NOT in sudoers ;
TTY=pts/5 ; PWD=/home/bluethundr ; USER=root ; COMMAND=/bin/bash

I do see other events in secure.log that appear to be pam successes
however. am i interpreting this correctly that at least part of the
system is communicating with pam on the ldap server?


Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!

More information about the CentOS mailing list