I am trying to set up a CentOS 8 workstation to authenticate against a LDAP server run by a Synology DiskStation. I have been able to successfully configure SSSD to authenticate users against the server, allowing me to login using my LDAP account. However, I am having trouble getting it to grant sudo privileges. Here's my /etc/sssd/sssd.conf file:
[domain/lab.university.edu]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://00.000.00.00
ldap_search_base=dc=lab,dc=university,dc=edu
ldap_sudo_search_base=dc=lab,dc=university,dc=edu
ldap_group_search_base=dc=lab,dc=university,dc=edu
ldap_schema = rfc2307bis
ldap_auth_disable_tls_never_use_in_production = True
cache_credentials = false
use_fully_qualified_names = False
debug_level = 0x3ff0
[sssd]
config_file_version = 2
services = nss,pam,sudo
domains = lab.university.edu
debug_level = 0x3ff0
[nss]
[pam]
[sudo]
To make sure all changes have been applied, I have also run:
sudo authselect select sssd with-mkhomedir with-sudo && sudo systemctl restart sssd.service && sudo sss_cache -E
However, I still cannot seem to grant LDAP accounts sudo privileges. I'm wondering if this might potentially have to do with the LDAP user ID/group ID being numbered differently than local accounts. I'm not the one who set up LDAP, but the person who did so explained it was necessary to get everything working. When I type id ldap_user
, I get the following:
uid=1000002(ldap_user) gid=1000001(users) groups=1000001(users),1000003(sudo),1000000(Directory Operators),2097150(Directory Consumers),1000002(administrators),2097149(Directory Clients)
Could it be possible that the sudo group isn't getting recognized as valid due to the weird ID numbers?