On Mon, Oct 16, 2017 at 5:37 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote:
> On (16/10/17 15:16), Asif Iqbal wrote: > >On Mon, Oct 16, 2017 at 1:17 PM, Asif Iqbal <vad...@gmail.com> wrote: > > > >> > >> On Fri, Oct 13, 2017 at 6:26 PM, Daniel Corrigan < > dancorrig...@gmail.com> > >> wrote: > >> > >>> I'm wondering if you have even extended your LDAP schema for sudo. Sudo > >>> rules must follow a proper schema in order to be valid. > >>> > >> > >> I suppose I will just use local/proxy->local with sudo since IT wont > add a > >> sudo schema. > >> > >> Appreciate the pointer! > >> > >> > >I end up using nss-pam-ldapd and have sudo pointing to pam_ldap.so which > >works perfect. > > > >So looks like sudo login with ldap password work with pam_ldap.so and > >nslcd, but sssd needs a ldap sudo schema. > > > >So if one does not have access to the LDAP server, pam_ldap + nslcd is the > >only way to work since sssd won't work there. > > > >Did I evaluate it right or is there is a workaround for sssd to work as > >well? > > > > If nss-pam-ldapd is able to provide rules from LDAP server then sssd > is able to provide them as well. And there are not required any changes on > I am using nss-pam-ldapd for sudo authentication only. I am using local sudoers for rules. Can I user sssd instead of nss-pam-ldapd for sudo authentication only and use local sudoers file for rules? > LDAP server. > > Which distribution do you use? is sudo compiled there with sssd support? > ot just with ldap? > sudo -V | grep sss > > Here is sudo -V output and I am using centos 7 in this case. http://dpaste.com/27GVJTC.txt > Is nsswitch configured properly with sss? > grep sudoers /etc/nsswitch.conf > > [root@localhost vagrant]# grep sudoers /etc/nsswitch.conf sudoers files sss @see also > https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html I will follow that when I am work tomorrow. I can access the corporate LDAP server only from work. Thanks for your help > > LS > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org