Bug 835515

Summary: [Doc] Sudo client configuration part requires modification.
Product: Red Hat Enterprise Linux 6 Reporter: Najmuddin Chirammal <nc>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: jskeoch, mkosek, pdemmers, yjog
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-01 00:32:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Najmuddin Chirammal 2012-06-26 11:39:59 UTC 
Description of problem:
From : 13.1.1. General sudo Configuration in Identity Management

Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/nslcd.conf. (The /etc/nslcd.conf file is created by the nss-pam-ldapd package. However, if nss-pam-ldapd is not installed, then the /etc/nslcd.conf file can be created manually.)

With the release of RHEL6.3, sudo configuration needs to be in /etc/sudo-ldap.conf (not nslcd.conf).

Refer: https://bugzilla.redhat.com/show_bug.cgi?id=760843

Additional info: Technical notes from the above bug report.

Cause:
Sudo used the /etc/nslcd.conf for configuring the LDAP sudoers sources but the script parsing of this file by the nslcd daemon caused it to terminate when it encountered a sudo specific keyword. 

Consequence:
No proper way to have both the nslcd daemon running and the LDAP sudoers sources configured.

Fix:
Sudo now uses a separate file, /etc/sudo-ldap.conf, for configuring LDAP sudoers sources.

Result:
Sudo uses it's own file for configuring the sudoers LDAP source and does not interfere with any other program.
Comment 1 Najmuddin Chirammal 2012-06-26 12:48:35 UTC 
Also in section, 13.4.2. Client Configuration for sudo Rules

Enable debug logging for sudo operations in the /etc/ldap.conf file. If this file does not exist, it can be created.

vim /etc/ldap.conf
sudoers_debug: 1


it should be /etc/sudo-ldap.conf 

Also there are many instances of /etc/nslcd.conf for sudo configuration, please replace them with /etc/sudo-ldap.conf 


Version-Release number of selected component (if applicable):  Red Hat Enterprise Linux 6.3 (sudo 1.7.4p5-8 or newer )
Comment 2 Pieter Demmers 2012-08-24 01:36:44 UTC 
As the sudo ldap.conf file changes depending on the version you have - I would suggest adding the following so that the user can verify the correct location:

# sudo -V | grep "^ldap.conf"

The list of different files (that I have recorded) are:

RHEL 6.0: sudo-1.7.2p2-9.el6
# sudo -V | egrep "version|^ldap.conf"
Sudo version 1.7.2p2
ldap.conf path: /etc/ldap.conf

RHEL6.1: sudo-1.7.4p5-5.el6
Sudo version 1.7.4p5
ldap.conf path: /etc/nss_ldap.conf

RHEL6.2: sudo-1.7.4p5-7.el6
Sudo version 1.7.4p5
ldap.conf path: /etc/nslcd.conf

RHEL6.3: sudo-1.7.4p5-13.el6_3.x86_64
Sudo version 1.7.4p5
ldap.conf path: /etc/sudo-ldap.conf

This also needs to be updated in the v5 documentation:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html-single/Configuring_Identity_Management/index.html#Setting_up_sudo_Rules-Client_Configuration_for_sudo_Rules

(Step 4) as the latest file is /etc/ldap.conf not nss_ldap.conf for sudo-1.7.2p1-13.el5 on RHEL 5.8. (Let me know if a seperate BZ needs to be raised for this).
Comment 4 Deon Ballard 2013-03-01 00:32:35 UTC 
Mass closure.