I'm using lxd/lxc containers (Oracle Linux 8) to rapidly deploy the environment (so if you have lxd setup, you can modify the ip scheme to match lxd's bridge subnet / DNS and then paste the code into separate lxc containers).
I can authenticate as my test user "adam", but when I attempt to setup sudo for adam it tells me
adam may not run sudo on <hostname>
As far as I can tell, I have everything configured correctly [for sudo].
LDAP: https://www.server-world.info/en/note?os=CentOS_7&p=openldap / https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/
SSSD: https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/
SUDO: https://kifarunix.com/how-to-configure-sudo-via-openldap-server/
LDAP Container
lxc stop ldapmaster --force; lxc delete ldapmaster; lxc launch images:oracle/8/amd64 ldapmaster; lxc exec ldapmaster passwd; lxc console ldapmaster
paste into LDAP container
ldaphostname="ldapmaster"
domain="example"
suffix="com"
olcRootPW=1234
userpw=1234
binddnpw=1234
mgrpw=1234
DNS1=192.168.3.1
DNS2=192.168.3.2
LDAPMASTERIP=10.175.235.220
SSSDIP=10.175.235.210
NETMASKIP=255.255.255.0
GATEWAYIP=10.175.235.1
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=$LDAPMASTERIP
NETMASKIP=$NETMASKIP
GATEWAY=$GATEWAYIP
DNS1=$DNS1
DNS2=$DNS2
ONBOOT=yes
HOSTNAME=`cat /proc/sys/kernel/hostname`
TYPE=Ethernet
MTU=
DHCP_HOSTNAME=`cat /proc/sys/kernel/hostname`
IPV6INIT=yes
EOF
ifdown eth0
ifup eth0
cat <<EOF > /etc/yum.repos.d/appstream.repo
[appstream]
name=Oracle Linux
baseurl=http://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF
cat <<EOF > /etc/yum.repos.d/base.repo
[base]
name=Oracle Linux
baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/3/baseos/base/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
proxy=http://www-proxy.web.boeing.com:31060
EOF
cat <<EOF > /etc/yum.repos.d/powertools.repo
[powertools]
name=Oracle Linux
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF
echo "10.175.235.220 $ldaphostname $ldaphostname.$domain.$suffix" >> /etc/hosts
#https://www.server-world.info/en/note?os=CentOS_7&p=openldap
yum -y install openldap-servers openldap-clients firewalld mlocate man openssl hostname sssd-tools openssh-server nss-pam-ldapd nano --nobest
cat <<EOF > /etc/sudo-ldap.conf
binddn cn=Manager,dc=$domain,dc=$suffix
bindpw 1234
ssl start_tls
tls_cacertfile = /etc/pki/tls/cacert.crt
sudoers_base = ou=SUDOers,DC=$domain,DC=$suffix
tls_checkpeer yesuri ldaps://$ldaphostname:636
bind_timelimit 5
timelimit 15
EOF
updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl enable --now sshd
systemctl enable --now slapd
cat <<EOF > chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $(slappasswd -s $olcRootPW)
EOF
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/ldapserver.key -out /etc/pki/tls/ldapserver.crt -subj "/C=XX/L=Default City/O=Default Company Ltd/CN=$ldaphostname"
chown ldap:ldap /etc/pki/tls/{ldapserver.crt,ldapserver.key}
cat > add-tls.ldif << 'EOL'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt
EOL
cat <<EOF > /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=$domain,dc=$suffix
URI ldaps://$ldaphostname:636
#ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
TLS_CACERT /etc/pki/tls/ldapserver.crt
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
sudoers_base ou=SUDOers,dc=$domain,dc=$suffix
SUDOERS_DEBUG 1
EOF
cat << 'EOF' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOF
cp /usr/share/doc/sudo/schema.OpenLDAP /etc/openldap/schema/sudo.schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/sudo.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
mkdir /var/lib/openldap
chown ldap. /var/lib/openldap
cat > rootdn.ldif << 'EOL'
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 42949672960
olcSuffix: dc=$domain,dc=$suffix
olcRootDN: cn=Manager,dc=$domain,dc=$suffix
olcRootPW: secret
olcDbDirectory: /var/lib/openldap
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldif
cat <<EOF > chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=$domain,dc=$suffix" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=$domain,dc=$suffix
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=$domain,dc=$suffix
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $(slappasswd -s $olcRootPW)
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=$domain,dc=$suffix" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=$domain,dc=$suffix" write by * read
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
by self write
by anonymous auth
by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.subtree="ou=System,dc=$domain,dc=$suffix" read
by * none
olcAccess: to dn.subtree="ou=System,dc=$domain,dc=$suffix" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
olcAccess: to dn.subtree="dc=$domain,dc=$suffix" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by users read
by * none
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
cat <<EOF > basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=$domain,dc=$suffix
objectClass: top
objectClass: dcObject
objectclass: organization
o: $domain $suffix
dc: $domain
dn: cn=Manager,dc=$domain,dc=$suffix
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=System,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: System
dn: ou=Users,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: Users
dn: ou=Groups,dc=$domain,dc=$suffix
objectClass: organizationalUnit
objectClass: top
ou: Groups
EOF
ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f basedomain.ldif
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service={ldap,ldaps} --permanent
firewall-cmd --reload
cat <<EOF > sudoersou.ldif
dn: ou=SUDOers,dc=$domain,dc=$suffix
objectClass: organizationalUnit
ou: SUDOers
description: $domain-$suffix LDAP SUDO Entry
EOF
ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f sudoersou.ldif
cat <<EOF > users_n_groups.ldif
dn: cn=readonly,ou=System,dc=$domain,dc=$suffix
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: $(slappasswd -s $binddnpw)
description: Bind DN user for LDAP Operations
dn: uid=adam,ou=Users,dc=$domain,dc=$suffix
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: $(slappasswd -s $userpw)
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
ldapadd -x -w $olcRootPW -D "cn=Manager,dc=$domain,dc=$suffix" -f users_n_groups.ldif
#cvtsudoers -b ou=SUDOers,dc=$domain,dc=$suffix -o sudoers.ldif /etc/sudoers
cat <<EOF > sudoers.ldif
dn: cn=defaults,ou=SUDOers,dc=$domain,dc=$suffix
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
EOF
ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f sudoers.ldif
cat <<EOF > indsudoers.ldif
dn: cn=sudo,ou=SUDOers,dc=$domain,dc=$suffix
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: adam
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
EOF
ldapadd -x -w $olcRootPW -D cn=Manager,dc=$domain,dc=$suffix -f indsudoers.ldif
#ldappasswd -s $olcRootPW -w $userpw -D "cn=Manager,dc=$domain,dc=$suffix" -x "uid=adam,ou=Users,dc=$domain,dc=$suffix"
#ldappasswd -s $olcRootPW -w $binddnpw -D "cn=Manager,dc=$domain,dc=$suffix" -x "cn=readonly,ou=System,dc=$domain,dc=$suffix"
SSSD Container
lxc stop ldap-sssd-try2 --force; lxc delete ldap-sssd-try2; lxc launch images:oracle/8/amd64 ldap-sssd-try2; lxc exec ldap-sssd-try2 passwd; lxc console ldap-sssd-try2;
paste into SSSD container
ldaphostname="ldapmaster"
domain="example"
suffix="com"
olcRootPW=1234
userpw=1234
binddnpw=1234
mgrpw=1234
DNS1=192.168.3.1
DNS2=192.168.3.2
LDAPMASTERIP=10.175.235.220
SSSDIP=10.175.235.210
NETMASKIP=255.255.255.0
GATEWAYIP=10.175.235.1
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=$SSSDIP
NETMASKIP=$NETMASKIP
GATEWAY=$GATEWAYIP
DNS1=$DNS1
DNS2=$DNS2
ONBOOT=yes
HOSTNAME=`cat /proc/sys/kernel/hostname`
TYPE=Ethernet
MTU=
DHCP_HOSTNAME=`cat /proc/sys/kernel/hostname`
IPV6INIT=yes
EOF
ifdown eth0
ifup eth0
cat <<EOF > /etc/yum.repos.d/appstream.repo
[appstream]
name=Oracle Linux
baseurl=http://yum.oracle.com/repo/OracleLinux/OL8/appstream/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF
cat <<EOF > /etc/yum.repos.d/base.repo
[base]
name=Oracle Linux
baseurl=https://yum.oracle.com/repo/OracleLinux/OL8/3/baseos/base/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
proxy=http://www-proxy.web.boeing.com:31060
EOF
cat <<EOF > /etc/yum.repos.d/powertools.repo
[powertools]
name=Oracle Linux
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL8/codeready/builder/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
EOF
echo "10.175.235.220 $ldaphostname $ldaphostname.$domain.$suffix" >> /etc/hosts
yum install -y hostname openssh-server nmap openssl sssd sssd-tools oddjob-mkhomedir authselect openldap-clients openldap-servers sssd-tools nss-pam-ldapd bind-utils nano mlocate --nobest
systemctl enable --now sshd
cat <<EOF > /etc/sudo-ldap.conf
binddn cn=Manager,dc=$domain,dc=$suffix
bindpw 1234
ssl start_tls
tls_cacertfile = /etc/pki/tls/cacert.crt
sudoers_base = ou=SUDOers,DC=$domain,DC=$suffix
tls_checkpeer yesuri ldaps://$ldaphostname:636
bind_timelimit 5
timelimit 15
EOF
cat <<EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = LDAP
[sudo]
[nss]
[pam]
offline_credentials_expiration = 60
[domain/LDAP]
ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=$domain,dc=$suffix
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://$ldaphostname:636
ldap_chpass_uri = ldaps://$ldaphostname:636
#ldap_default_bind_dn = cn=Manager,dc=$domain,dc=$suffix
#ldap_default_authtok = $olcRootPW
ldap_default_bind_dn = cn=readonly,ou=System,dc=$domain,dc=$suffix
#doesn't seem to matter if I use mapldap_default_authtok_type
#mapldap_default_authtok_type = password
ldap_default_authtok = $binddnpw
ldap_user_search_base = ou=Users,DC=$domain,DC=$suffix
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,DC=$domain,DC=$suffix
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
EOF
authselect select sssd --force
chown -R root: /etc/sssd
chmod 600 -R /etc/sssd
systemctl enable --now sssd
cat <<EOF > /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be $suffix readable but not $suffix writable.
BASE dc=$domain,dc=$suffix
URI ldaps://$ldaphostname:636
#SUDOers_BASE ou=SUDOers,dc=ldapmaster,dc=ldapmaster,dc=com
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
TLS_CACERT /etc/pki/tls/cacert.crt
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
sudoers_base ou=SUDOers,dc=$domain,dc=$suffix
SUDOERS_DEBUG 1
EOF
openssl s_client -connect $ldaphostname:636 < /dev/null -showcerts | openssl x509 -text | sed -ne '
/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p # got the range, ok
/-END CERTIFICATE-/q # bailing out soon as the cert end seen
' > /etc/pki/tls/cacert.crt
echo "sudoers : ldap files" >> /etc/nsswitch.conf
systemctl restart sssd
systemctl enable --now oddjobd
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
systemctl restart oddjobd
If I query using ldapsearch
domain="example"
suffix="com"
export SUDOERS_BASE=ou=SUDOers,DC=$domain,DC=$suffix
ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,DC=$domain,DC=$suffix -W -x adam
I get
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,DC=example,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: adam
#
# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com
# adam, SUDOers, example.com
dn: cn=adam,ou=SUDOers,dc=example,dc=com
# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
If I run
domain="example"
suffix="com"
export SUDOERS_BASE=ou=SUDOers,DC=$domain,DC=$suffix
ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,DC=$domain,DC=$suffix -w 1234 -x
I get
# extended LDIF
#
# LDAPv3
# base <ou=SUDOers,DC=example,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# SUDOers, example.com
dn: ou=SUDOers,dc=example,dc=com
objectClass: organizationalUnit
ou: SUDOers
description: example-com LDAP SUDO Entry
# sudo, SUDOers, example.com
dn: cn=sudo,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: adam
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
# defaults, SUDOers, example.com
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep=COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS
sudoOption: env_keep+=MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
sudoOption: env_keep+=LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES
sudoOption: env_keep+=LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE
sudoOption: env_keep+=LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
problem was an extra space after
/etc/nsswitch.conf
once that was corrected, had to install