Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

Hi Pantazis,

Can you login with your userid from LDAP?  What do you get back from "lsuser -R LDAP ALL" ?  Can you do an ldapsearch with the details that you've used to configure LDAP in AIX?  In my environment we just use LDAP, not KRB5LDAP and it all works nicely.  But if those fundamentals aren't working, that could explain some of your issue.

I have sudo working in our environment using the sudo_nodap RPM.  Our LDAP config is local to the box, not sourced from LDAP.  I think that you have the sudo syntax incorrect.  You don't need to specify all the "Windows Stuff" as part of the group name in sudo.  Just the name of the group eg:

%sudoers ALL=(ALL) NOPASSWD: ALL

If you do an lsuser for your userid you'll see that the user and group names within AIX don't include AD/LDAP OU information in them, this is what you need to use in sudo. 

Phill.

Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

Thank you Phil for the feedback. Installed we have the "sudo" RPM, which I checked is binded with ldap. Yes the LDAP user can login on AIX just fine so no issue with that and lsuser returns the correct users for the base DN we defined.

sudoers is not the baseDN though and sudoers does not have any POSIX attributes. Should we add POSIX atributes also in "sudoers" group ?

Hi Pantazis,

Can you login with your userid from LDAP?  What do you get back from "lsuser -R LDAP ALL" ?  Can you do an ldapsearch with the details that you've used to configure LDAP in AIX?  In my environment we just use LDAP, not KRB5LDAP and it all works nicely.  But if those fundamentals aren't working, that could explain some of your issue.

I have sudo working in our environment using the sudo_nodap RPM.  Our LDAP config is local to the box, not sourced from LDAP.  I think that you have the sudo syntax incorrect.  You don't need to specify all the "Windows Stuff" as part of the group name in sudo.  Just the name of the group eg:

%sudoers ALL=(ALL) NOPASSWD: ALL

If you do an lsuser for your userid you'll see that the user and group names within AIX don't include AD/LDAP OU information in them, this is what you need to use in sudo. 

Phill.

Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

Hi Pantazis,

There are three sudo rpms available in the toolbox:-

sudo_noldap.ppc

sudo.ppc

sudo_ids.ppc

Which one have you installed?  Sudo_noldap doesn't bind to ldap.

Yes the sudoers group will need it's POSIX attributes populated, it won't be a valid group on AIX without them.

Phill.

------------------------------
Phill Rowbottom

Original Message:
Sent: Sat December 14, 2024 10:55 AM
From: PANTAZIS PANTAZI
Subject: How to configure LDAP groups in SUDO

Thank you Phil for the feedback. Installed we have the "sudo" RPM, which I checked is binded with ldap. Yes the LDAP user can login on AIX just fine so no issue with that and lsuser returns the correct users for the base DN we defined.

sudoers is not the baseDN though and sudoers does not have any POSIX attributes. Should we add POSIX atributes also in "sudoers" group ?

------------------------------
PANTAZIS PANTAZI

Original Message:
Sent: Thu December 12, 2024 10:33 AM
From: Phill Rowbottom
Subject: How to configure LDAP groups in SUDO

Hi Pantazis,

Can you login with your userid from LDAP?  What do you get back from "lsuser -R LDAP ALL" ?  Can you do an ldapsearch with the details that you've used to configure LDAP in AIX?  In my environment we just use LDAP, not KRB5LDAP and it all works nicely.  But if those fundamentals aren't working, that could explain some of your issue.

I have sudo working in our environment using the sudo_nodap RPM.  Our LDAP config is local to the box, not sourced from LDAP.  I think that you have the sudo syntax incorrect.  You don't need to specify all the "Windows Stuff" as part of the group name in sudo.  Just the name of the group eg:

%sudoers ALL=(ALL) NOPASSWD: ALL

If you do an lsuser for your userid you'll see that the user and group names within AIX don't include AD/LDAP OU information in them, this is what you need to use in sudo. 

Phill.

------------------------------
Phill Rowbottom

Original Message:
Sent: Wed December 11, 2024 11:37 AM
From: PANTAZIS PANTAZI
Subject: How to configure LDAP groups in SUDO

Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

------------------------------
PANTAZIS PANTAZI
------------------------------

Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

We have this working, but not with a Kerberos auth scheme, though I don't think that matters. All this stuff happens after authentication. 

We're using the sudo-ids package from the AIX Toolbox
Our /etc/sudo-ldap.conf looks similar to this:

uri ldaps://server1:636 ldaps://server2:636 ldaps://server3:636
binddn cn=ldapbinddn,o=Mycompany
bindpw youknowwhatgoeshere
ssl yes
tls_key /etc/security/ldap/newkdb/ldapclient.kdb
tls_keypw youalsoknowwhatgoeshere
sudoers_base ou=SUDOers,ou=Admin,o=Mycompany

The TLS_key and TLS_keypw are because we store our CA certs in a gsk8capicmd certitificate store, but I think you could potentially use a pem file with your necessary root certificate(s) in it. 

With this config, the tool is going to search ou=Sudoers,ou=admin,o=mycompany for sudorole objects. It doesn't search LDAP for the groups, it does a local lookup on the user to see if it's in that group.
And to reinforce Phill's comment, just the group basename. Whatever shows up for groups when you type 'id" on the command line, that's what it's going to match on. 

Sudo-ids binds as the user in the config file, not the user running sudo. Depending on how you have your auth set up, if you can't do simple auth, you may need to do some stuff with keytabs and a service principal before sudo-ids can do lookups. Check the doc and you can crank up the debug and see what it's doing. 

------------------------------
Andrew Scott

Original Message:
Sent: Wed December 11, 2024 11:37 AM
From: PANTAZIS PANTAZI
Subject: How to configure LDAP groups in SUDO

Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

------------------------------
PANTAZIS PANTAZI
------------------------------

Thank you Andrew for the feedback. In our case we installed the "sudo" RPM which is binded with ldap as I have seen but I have not configured anything in the  /etc/sudo-ldap.conf as IBM support did not say that was necessary.

In your case, the sudoers group has POSIX attributes ?

Should I configure it like in your case, from the moment it has ldap as part of the rpm ?

To confirm also the the user login works fine and now just trying to resolve the sudo issue.

------------------------------
PANTAZIS PANTAZI

Original Message:
Sent: Fri December 13, 2024 10:16 AM
From: Andrew Scott
Subject: How to configure LDAP groups in SUDO

We have this working, but not with a Kerberos auth scheme, though I don't think that matters. All this stuff happens after authentication. 

We're using the sudo-ids package from the AIX Toolbox
Our /etc/sudo-ldap.conf looks similar to this:

uri ldaps://server1:636 ldaps://server2:636 ldaps://server3:636
binddn cn=ldapbinddn,o=Mycompany
bindpw youknowwhatgoeshere
ssl yes
tls_key /etc/security/ldap/newkdb/ldapclient.kdb
tls_keypw youalsoknowwhatgoeshere
sudoers_base ou=SUDOers,ou=Admin,o=Mycompany

The TLS_key and TLS_keypw are because we store our CA certs in a gsk8capicmd certitificate store, but I think you could potentially use a pem file with your necessary root certificate(s) in it. 

With this config, the tool is going to search ou=Sudoers,ou=admin,o=mycompany for sudorole objects. It doesn't search LDAP for the groups, it does a local lookup on the user to see if it's in that group.
And to reinforce Phill's comment, just the group basename. Whatever shows up for groups when you type 'id" on the command line, that's what it's going to match on. 

Sudo-ids binds as the user in the config file, not the user running sudo. Depending on how you have your auth set up, if you can't do simple auth, you may need to do some stuff with keytabs and a service principal before sudo-ids can do lookups. Check the doc and you can crank up the debug and see what it's doing. 

------------------------------
Andrew Scott

Original Message:
Sent: Wed December 11, 2024 11:37 AM
From: PANTAZIS PANTAZI
Subject: How to configure LDAP groups in SUDO

Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

------------------------------
PANTAZIS PANTAZI
------------------------------

Thank you Andrew for the feedback. In our case we installed the "sudo" RPM which is binded with ldap as I have seen but I have not configured anything in the  /etc/sudo-ldap.conf as IBM support did not say that was necessary.

In your case, the sudoers group has POSIX attributes ?

Should I configure it like in your case, from the moment it has ldap as part of the rpm ?

To confirm also the the user login works fine and now just trying to resolve the sudo issue.

------------------------------
PANTAZIS PANTAZI

Original Message:
Sent: Fri December 13, 2024 10:16 AM
From: Andrew Scott
Subject: How to configure LDAP groups in SUDO

We have this working, but not with a Kerberos auth scheme, though I don't think that matters. All this stuff happens after authentication. 

We're using the sudo-ids package from the AIX Toolbox
Our /etc/sudo-ldap.conf looks similar to this:

uri ldaps://server1:636 ldaps://server2:636 ldaps://server3:636
binddn cn=ldapbinddn,o=Mycompany
bindpw youknowwhatgoeshere
ssl yes
tls_key /etc/security/ldap/newkdb/ldapclient.kdb
tls_keypw youalsoknowwhatgoeshere
sudoers_base ou=SUDOers,ou=Admin,o=Mycompany

The TLS_key and TLS_keypw are because we store our CA certs in a gsk8capicmd certitificate store, but I think you could potentially use a pem file with your necessary root certificate(s) in it. 

With this config, the tool is going to search ou=Sudoers,ou=admin,o=mycompany for sudorole objects. It doesn't search LDAP for the groups, it does a local lookup on the user to see if it's in that group.
And to reinforce Phill's comment, just the group basename. Whatever shows up for groups when you type 'id" on the command line, that's what it's going to match on. 

Sudo-ids binds as the user in the config file, not the user running sudo. Depending on how you have your auth set up, if you can't do simple auth, you may need to do some stuff with keytabs and a service principal before sudo-ids can do lookups. Check the doc and you can crank up the debug and see what it's doing. 

------------------------------
Andrew Scott

Original Message:
Sent: Wed December 11, 2024 11:37 AM
From: PANTAZIS PANTAZI
Subject: How to configure LDAP groups in SUDO

Hi Team,

I need your help in using SUDO with LDAP groups. We always get the error "sudo: you do not exist in the passwd database"when we try to use sudo with the LDAP users.

Trying to setup LDAP authentication and grant sudo access using LDAP groups and this is the first time I try this. So far the LDAP authentication works OK and user can login to AIX, however when we try use sudo we always get the error "sudo: you do not exist in the passwd database". For the authentication I have implemented KRB5LDAP module, if it makes any difference in this issue.

My SUDO config is basically the below line which was added in /etc/sudoers, and this was added based on other references I found from the web. My AD user is part of the "sudoers" AD group shown below.

%int.jcc.com.cy\GROUPS\sudoers ALL=(ALL) NOPASSWD: ALL

I even raised a case to IBM and from the truss they say that this is not even a call to the LDAP server to check for anything, so apparently either I am missing something or something wrong somewhere else.

Should I have configured something else in /etc/sudoers? Or any other config in AIX missing ?

Note: I have many other old threads about similar issues but were refering to files I could not find in AIX 7.3

Would appreciate your help.

Regards,

Pantazis

------------------------------
PANTAZIS PANTAZI
------------------------------