使用 openldap 设置 sudo 访问时我缺少什么?

使用 openldap 设置 sudo 访问时我缺少什么?

我正在使用 lxd/lxc 容器(Oracle Linux 8)来快速部署环境(因此如果您已经设置了 lxd,则可以修改 ip 方案以匹配 lxd 的桥接子网/DNS,然后将代码粘贴到单独的 lxc 容器中)。

我可以以测试用户“adam”的身份进行身份验证,但是当我尝试为 adam 设置 sudo 时,它告诉我

adam may not run sudo on <hostname>

据我所知,我已经为[sudo]正确配置了一切。

LDAP:https://www.server-world.info/en/note?os=CentOS_7&p=openldap/https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/

固态硬盘 (SSSD):https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/

须藤:https://kifarunix.com/how-to-configure-sudo-via-openldap-server/

LDAP 容器

lxc stop ldapmaster --force; lxc delete ldapmaster; lxc launch images:oracle/8/amd64 ldapmaster; lxc exec ldapmaster passwd; lxc console ldapmaster

粘贴到 LDAP 容器中

ldaphostname="ldapmaster"
domain="example"
suffix="com"
olcRootPW=1234
userpw=1234
binddnpw=1234
mgrpw=1234
DNS1=192.168.3.1
DNS2=192.168.3.2
LDAPMASTERIP=10.175.235.220
SSSDIP=10.175.235.210
NETMASKIP=255.255.255.0
GATEWAYIP=10.175.235.1


cat  <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=$LDAPMASTERIP
NETMASKIP=$NETMASKIP
GATEWAY=$GATEWAYIP
DNS1=$DNS1
DNS2=$DNS2
ONBOOT=yes
HOSTNAME=`cat /proc/sys/kernel/hostname`
TYPE=Ethernet
MTU=
DHCP_HOSTNAME=`cat /proc/sys/kernel/hostname`
IPV6INIT=yes
EOF

ifdown eth0

ifup eth0

cat  <<EOF > /etc/yum.repos.d/appstream.repo
[appstream]
name=Oracle Linux
baseurl=http://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

EOF

cat  <<EOF > /etc/yum.repos.d/base.repo
[base]
name=Oracle Linux
baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/3/baseos/base/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
proxy=http://www-proxy.web.boeing.com:31060
EOF

cat  <<EOF > /etc/yum.repos.d/powertools.repo
[powertools]
name=Oracle Linux
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle

EOF

echo "10.175.235.220 $ldaphostname $ldaphostname.$domain.$suffix" >> /etc/hosts

#https://www.server-world.info/en/note?os=CentOS_7&p=openldap
yum -y install openldap-servers openldap-clients firewalld mlocate man openssl hostname sssd-tools openssh-server nss-pam-ldapd nano --nobest

cat <<EOF > /etc/sudo-ldap.conf
binddn cn=Manager,dc=$domain,dc=$suffix
bindpw 1234
ssl start_tls
tls_cacertfile = /etc/pki/tls/cacert.crt
sudoers_base = ou=SUDOers,DC=$domain,DC=$suffix
tls_checkpeer yesuri ldaps://$ldaphostname:636
bind_timelimit 5
timelimit 15
EOF

updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
chown ldap. /var/lib/ldap/DB_CONFIG 
systemctl enable --now sshd
systemctl enable --now slapd 

cat <<EOF > chrootpw.ldif 
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $(slappasswd -s $olcRootPW)
EOF

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/ldapserver.key -out /etc/pki/tls/ldapserver.crt -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=$ldaphostname"

chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}

cat > add-tls.ldif << 'EOL'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt
EOL

cat <<EOF > /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=$domain,dc=$suffix
URI     ldaps://$ldaphostname:636
#ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/pki/tls/ldapserver.crt

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
sudoers_base ou=SUDOers,dc=$domain,dc=$suffix
SUDOERS_DEBUG 1
EOF

cat << 'EOF' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOF

cp /usr/share/doc/sudo/schema.OpenLDAP  /etc/openldap/schema/sudo.schema

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/sudo.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

mkdir /var/lib/openldap
chown ldap. /var/lib/openldap

cat > rootdn.ldif << 'EOL'
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 42949672960
olcSuffix: dc=$domain,dc=$suffix
olcRootDN: cn=Manager,dc=$domain,dc=$suffix
olcRootPW: secret
olcDbDirectory: /var/lib/openldap
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
EOL

ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif


cat <<EOF > chdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=$domain,dc=$suffix" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=$domain,dc=$suffix

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=$domain,dc=$suffix

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $(slappasswd -s $olcRootPW)

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=$domain,dc=$suffix" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=$domain,dc=$suffix" write by * read
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
  by self write
  by anonymous auth
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
  by dn.subtree="ou=System,dc=$domain,dc=$suffix" read
  by * none
olcAccess: to dn.subtree="ou=System,dc=$domain,dc=$suffix" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by * none
olcAccess: to dn.subtree="dc=$domain,dc=$suffix" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by users read 
  by * none
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

cat <<EOF > basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section

dn: dc=$domain,dc=$suffix
objectClass: top
objectClass: dcObject
objectclass: organization
o: $domain $suffix
dc: $domain

dn: cn=Manager,dc=$domain,dc=$suffix
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=System,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: System

dn: ou=Users,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: ou=Groups,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: Groups

EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f basedomain.ldif

systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service={ldap,ldaps} --permanent 
firewall-cmd --reload

cat <<EOF > sudoersou.ldif
dn: ou=SUDOers,dc=$domain,dc=$suffix
objectClass: organizationalUnit
ou: SUDOers
description: $domain-$suffix LDAP SUDO Entry
EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f sudoersou.ldif

cat <<EOF > users_n_groups.ldif

dn: cn=readonly,ou=System,dc=$domain,dc=$suffix
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: $(slappasswd -s $binddnpw)
description: Bind DN user for LDAP Operations

dn: uid=adam,ou=Users,dc=$domain,dc=$suffix
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: $(slappasswd -s $userpw)
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
ldapadd -x -w $olcRootPW -D "cn=Manager,dc=$domain,dc=$suffix" -f users_n_groups.ldif

#cvtsudoers -b ou=SUDOers,dc=$domain,dc=$suffix -o sudoers.ldif /etc/sudoers

cat <<EOF > sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=$domain,dc=$suffix
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f sudoers.ldif

cat <<EOF > indsudoers.ldif
dn: cn=sudo,ou=SUDOers,dc=$domain,dc=$suffix
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: adam
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
EOF

ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f indsudoers.ldif

#ldappasswd -s $olcRootPW -w $userpw -D "cn=Manager,dc=$domain,dc=$suffix" -x "uid=adam,ou=Users,dc=$domain,dc=$suffix"

#ldappasswd -s $olcRootPW -w $binddnpw -D "cn=Manager,dc=$domain,dc=$suffix" -x "cn=readonly,ou=System,dc=$domain,dc=$suffix"

SSSD 容器

lxc stop ldap-sssd-try2 --force; lxc delete ldap-sssd-try2; lxc launch images:oracle/8/amd64 ldap-sssd-try2; lxc exec ldap-sssd-try2 passwd; lxc console ldap-sssd-try2;

粘贴到 SSSD 容器中

ldaphostname="ldapmaster"
domain="example"
suffix="com"
olcRootPW=1234
userpw=1234
binddnpw=1234
mgrpw=1234
DNS1=192.168.3.1
DNS2=192.168.3.2
LDAPMASTERIP=10.175.235.220
SSSDIP=10.175.235.210
NETMASKIP=255.255.255.0
GATEWAYIP=10.175.235.1

cat  <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=$SSSDIP
NETMASKIP=$NETMASKIP
GATEWAY=$GATEWAYIP
DNS1=$DNS1
DNS2=$DNS2
ONBOOT=yes
HOSTNAME=`cat /proc/sys/kernel/hostname`
TYPE=Ethernet
MTU=
DHCP_HOSTNAME=`cat /proc/sys/kernel/hostname`
IPV6INIT=yes
EOF

ifdown eth0

ifup eth0

cat  <<EOF > /etc/yum.repos.d/appstream.repo
[appstream]
name=Oracle Linux
baseurl=http://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF

cat  <<EOF > /etc/yum.repos.d/base.repo
[base]
name=Oracle Linux
baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/3/baseos/base/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
proxy=http://www-proxy.web.boeing.com:31060
EOF

cat  <<EOF > /etc/yum.repos.d/powertools.repo
[powertools]
name=Oracle Linux
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF

echo "10.175.235.220  $ldaphostname $ldaphostname.$domain.$suffix" >> /etc/hosts

yum install -y hostname openssh-server nmap openssl sssd sssd-tools oddjob-mkhomedir authselect openldap-clients openldap-servers sssd-tools nss-pam-ldapd bind-utils nano mlocate --nobest

systemctl enable --now sshd

cat <<EOF > /etc/sudo-ldap.conf
binddn cn=Manager,dc=$domain,dc=$suffix
bindpw 1234
ssl start_tls
tls_cacertfile = /etc/pki/tls/cacert.crt
sudoers_base = ou=SUDOers,DC=$domain,DC=$suffix
tls_checkpeer yesuri ldaps://$ldaphostname:636
bind_timelimit 5
timelimit 15
EOF

cat <<EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = LDAP

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/LDAP]
ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=$domain,dc=$suffix
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://$ldaphostname:636
ldap_chpass_uri = ldaps://$ldaphostname:636
#ldap_default_bind_dn = cn=Manager,dc=$domain,dc=$suffix
#ldap_default_authtok = $olcRootPW
ldap_default_bind_dn = cn=readonly,ou=System,dc=$domain,dc=$suffix
#doesn't seem to matter if I use mapldap_default_authtok_type
#mapldap_default_authtok_type = password
ldap_default_authtok = $binddnpw
ldap_user_search_base = ou=Users,DC=$domain,DC=$suffix
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,DC=$domain,DC=$suffix
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
EOF

authselect select sssd --force

chown -R root: /etc/sssd

chmod 600 -R /etc/sssd

systemctl enable --now sssd

cat  <<EOF > /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be $suffix readable but not $suffix writable.

BASE    dc=$domain,dc=$suffix
URI     ldaps://$ldaphostname:636
#SUDOers_BASE    ou=SUDOers,dc=ldapmaster,dc=ldapmaster,dc=com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT      /etc/pki/tls/cacert.crt

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
sudoers_base ou=SUDOers,dc=$domain,dc=$suffix
SUDOERS_DEBUG 1
EOF

openssl s_client -connect $ldaphostname:636 < /dev/null -showcerts | openssl x509 -text | sed -ne '
   /-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p      # got the range, ok
   /-END CERTIFICATE-/q                            # bailing out soon as the cert end seen
' > /etc/pki/tls/cacert.crt

echo "sudoers : ldap files" >> /etc/nsswitch.conf

systemctl restart sssd

systemctl enable --now oddjobd

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

systemctl restart oddjobd

如果我使用 ldapsearch 查询

domain="example"
suffix="com"
export SUDOERS_BASE=ou=SUDOers,DC=$domain,DC=$suffix

ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,DC=$domain,DC=$suffix -W -x adam

我明白了

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,DC=example,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: adam
#

# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com

# adam, SUDOers, example.com
dn: cn=adam,ou=SUDOers,dc=example,dc=com

# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

如果我跑

domain="example"
suffix="com"
export SUDOERS_BASE=ou=SUDOers,DC=$domain,DC=$suffix

ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,DC=$domain,DC=$suffix -w 1234 -x

我明白了

# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,DC=example,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com
objectClass: organizationalUnit
ou: SUDOers
description: example-com LDAP SUDO Entry

# sudo, SUDOers, example.com
dn: cn=sudo,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: adam
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

答案1

问题是后面有多余的空格/etc/nsswitch.conf

echo "sudoers: ldap files sss" >> /etc/nsswitch.conf

一旦纠正了,就必须安装

libsss_sudo

相关内容