Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

  • 1.  sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Tue May 18, 2021 08:11 AM

    Dear Team, 

    we found an error message spamming in the daemon.log every time sudo is used:

    May 18 13:20:39 svrpnim daemon:warn|warning secldapclntd: 3001-718 Failed to search (&(objectclass=nisnetgroup)(cn=))) from the LDAP server.
    May 18 13:20:41 svrpnim daemon:warn|warning secldapclntd: 3001-718 Failed to search (&(objectclass=nisnetgroup)(cn=))) from the LDAP server.
    May 18 13:20:42 svrpnim daemon:warn|warning secldapclntd: 3001-718 Failed to search (&(objectclass=nisnetgroup)(cn=))) from the LDAP server.
    May 18 13:20:44 svrpnim daemon:warn|warning secldapclntd: 3001-718 Failed to search (&(objectclass=nisnetgroup)(cn=))) from the LDAP server.

    We now found out, that sudo_ids seems not to check the /etc/security/ldap/ldap.cfg file for further ldap configurations.

    So we copied following line into sudo-ldap.conf and it seems to be the solution for us:

    netgroup_base ou=NETGROUP,ou=UNIXAUTH,ou=APPLIKATIONEN,ou=SERVICES,ou=...

    Why does sudo not use the ldap.cfg config file?

    best regards,

    Joerg



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------

    #AIXOpenSource


  • 2.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Wed May 19, 2021 01:33 AM
    Thank you Joerg for reporting the issue.
    We will look into it.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 3.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Wed May 19, 2021 02:17 AM
    sudo generally don't use ldap.cfg file. That is how it is built.
    You can see the configure options by invoking "sudo -V".
    .....
    ldap.conf path: /etc/sudo-ldap.conf
    .....

    You may want to look into the doc --> https://www.sudo.ws/man/1.8.17/sudoers.ldap.man.html#Configuring_ldap.conf

    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 4.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Wed May 19, 2021 07:46 AM
    Thanks Ayappan for the clarification. So, we will configure sudo-ldap.conf that way...
    Thanks for your time and support.

    Best regards,
    Joerg

    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------

    Original Message


  • 5.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Fri May 21, 2021 03:11 AM

    Dear Ayappan,

    may I come back to you for another question...?
    The link you send describes also how to encrypt the ldap password.

     secret

    BINDPW base64:dGVzdA==

    Unfortunately it is not working.
    We tried:

    echo "passw0rd" | openssl enc -base64

    and also

    secldapclnt -e passw0rd

    Is there any way to encrypt the password for the sudo_ids???

    Many thanks again for your support...

    Best regards,
    Joerg



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------

    Original Message


  • 6.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Fri May 21, 2021 04:30 AM

    found my mistake...

    musst be:

    echo -n 'passw0rd' | base64

    But maybe you or someone else here can help me understand what the different is between:

    binddn and rootbinddn

    it could not only be the way the password is stored for rootbinddn in /etc/ldap.secret

    Many thanks in advance...



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------

    Original Message


  • 7.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Tue May 25, 2021 05:29 AM

    Dear Ayappan,

    I have to come back to you again...

    May I ask why you decided to create the sudo-ldap.conf instead of using the ldap.cfg? In the linux world sudo is using the standard ldap configuration file, what is ldap.conf...

    Thanks thanks in advance your your time and explanation...

    best regards,

    Joerg



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------

    Original Message


  • 8.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Tue May 25, 2021 09:43 AM
    We won't decide anything by ourselves. We follow the linux world. 
    I see recent Ubuntu & RHEL uses /etc/sudo-ldap.conf . What is the linux world you are talking about ?

    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 9.  RE: sudo_ids with IBM LDAP 6.4 shows errors in daemon.log

    Posted Tue May 25, 2021 10:02 AM

    Hello Ayappan,

    thanks for your quick reply. We are using SLES 12 & 15 in our environment and here sudo is using the ldap.conf file, that's why I was asking.

    Its clear now. Thanks for your explanation.

    Best regards,

    Joerg



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------

    Original Message


Related Content