[sudo-users] sudo & LDAP

Wes Rogers wrogers at gmail.com
Tue Mar 6 13:29:27 EST 2007 

Run sudo -L instead and see.  Also, paste a LDIF dump of
ou=SUDOers,dc=company,dc=com.

Wes

On 3/6/07, Doug Goldstein <cardoe at gentoo.org> wrote:
> Hi all,
>
> Currently I'm having an issue with sudo & ldap. I'm running on a Gentoo
> system against OpenLDAP 2.3.30 and sudo-1.6.8_p12
>
> The issue is that every user attempting to user sudo results in the
> following in the logs:
>
> [sudo] nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
> ....
> [sudo] nss_ldap: could not search LDAP server - Server is unavailable
>
> However my server is there an available. Every other use of nss_ldap is
> working on that box. When the user attempts to run sudo they get the
> following error:
>
> sudo: uid 5000 does not exist in the passwd file!
>
> However, running a simple "id" results in:
>
> uid=5000(doug) gid=100(users) groups=100(users),500(svnusers)
>
> Now Gentoo has sudo configure it's LDAP settings in /etc/ldap.conf.sudo
> and I have the following configuration:
>
> uri ldap://gravel.internal.company.com ldap://marble.internal.company.com
> ldap_version 3
> ssl start_tls
> tls_cacertdir /etc/ssl/certs/
> tls_checkpeer yes
> sudoers_debug 2
> sudoers_base ou=SUDOers,dc=company,dc=com
>
> I ran the sudoers2ldif file and imported it into
> ou=SUDOers,dc=company,dc=com. I also added an ACL to slapd that allows *
> to read that ou.
>
> Running sudo --help as root provides the following:
>
> LDAP Config Summary
> ===================
> uri          ldap://gravel.internal.company.com
> ldap://marble.internal.company.com
> ldap_version 3
> sudoers_base ou=SUDOers,dc=company,dc=com
> binddn       (anonymous)
> bindpw       (anonymous)
> bind_timelimit  30
> timelimit    30
> ssl          start_tls
> ===================
> ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/ssl/certs/")
> ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0x01)
> ldap_set_option(LDAP_OPT_TIMELIMIT,0x1e)
> setting bind_timelimit to 30
> ldap_initialize(ld,ldap://gravel.internal.company.com
> ldap://marble.internal.company.com)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_start_tls_s() ok
> ldap_bind() ok
> found:cn=defaults,ou=SUDOers,dc=company,dc=com
> ldap search
> '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%root)(sudoUser=%bin)(sudoUser=%daemon)(sudoUser=%sys)(sudoUser=%adm)(sudoUser=%disk)(sudoUser=%wheel)(sudoUser=%floppy)(sudoUser=%dialout)(sudoUser=%tape)(sudoUser=%video)(sudoUser=ALL))'
> ldap search 'sudoUser=+*'
> user_matches=0
> host_matches=0
> sudo_ldap_check(0)=0x44
> usage: sudo -K | -L | -V | -h | -k | -l | -v
> usage: sudo [-HPSb] [-p prompt] [-u username|#uid]
>             { -e file [...] | -i | -s | <command> }
>
>
> So root appears to read the file and parse it properly, however the normal
> users on the box do not provide any of that debugging info which makes me
> believe it's not parsing the file at all.
>
> If anyone has any insight or any suggestions it'd be much appreciated. The
> issue lives in Gentoo's bugzilla at
> http://bugs.gentoo.org/show_bug.cgi?id=107634
>
> --
> Doug Goldstein
>
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list