[sudo-users] Active Directory Schema incomplete? (and SUDOERS_TIMED attributes not working)

David.HICKS at rbs.com David.HICKS at rbs.com
Mon Jul 30 08:33:30 EDT 2012 

Thanks for that Todd.

I haven't managed to find anything authoritative that explicitly states that the AD representation of Generalized Time format will ALWAYS use tenths of a second, but there were a lot of not quite so reliable sources and examples that make that assertion, so its probably true I guess...

However I think something else might need tweaking in order for your ldap.c mod to work, because I get 'unable to format timestamp: Success' errors now, and the time limit appears to be ignored :

$ ldapsearch ..... "(sudoUser=jonesn)"
<snip>
sudoNotAfter: 20120729122200.0Z

(...so we should fail after 29th July, but...)

$ whoami
jonesn
$ date
Mon Jul 30 13:27:19 BST 2012
$ /usr/local/bin/sudo -l
sudo: unable to format timestamp: Success
sudo: unable to format timestamp: Success
Matching Defaults entries for jonesn on this host:
    listpw+=never, env_keep+="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
    LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", env_reset, requiretty

User jonesn may run the following commands on this host:
    (ALL) /bin/ls

(...with debug...)

$ /usr/local/bin/sudo -l
LDAP Config Summary
===================
uri              ldap://127.0.0.1:10000/
ldap_version     3
sudoers_base     OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net
binddn           (anonymous)
bindpw           (anonymous)
bind_timelimit   120
timelimit        120
ssl              no
tls_cacertdir    /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://127.0.0.1:10000/)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: found:CN=defaults,OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net
sudo: ldap sudoOption: 'listpw+=never'
sudo: ldap sudoOption: 'env_keep+="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'requiretty'
sudo: unable to format timestamp: Success
sudo: ldap search '(&(|(sudoUser=jonesn)(sudoUser=%admusers)(sudoUser=%#1000)(sudoUser=%empty1)(sudoUser=%vrtsadm)(sudoUser=%ctxadm)(sudoUser=%lmadmin)(sudoUser=%alex)(sudoUser=%#1001)(sudoUser=%#8002)(sudoUser=%#8003)(sudoUser=%#8139)(sudoUser=%#8230)(sudoUser=ALL)))'
sudo: searching from base 'OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net'
sudo: adding search result
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: result now has 1 entries
sudo: unable to format timestamp: Success
sudo: ldap search '(&(sudoUser=+*))'
sudo: searching from base 'OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net'
sudo: nothing found for '(&(sudoUser=+*))'
sudo: sorting remaining 1 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
sudo: ldap search for command list
sudo: reusing previous result (user jonesn) with 1 entries
Matching Defaults entries for jonesn on this host:
    listpw+=never, env_keep+="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE
    LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", env_reset, requiretty

User jonesn may run the following commands on this host:
    (ALL) /bin/ls
sudo: removing reusable search result


Cheers

David Hicks

  
-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: 27 July 2012 20:20
To: Hicks, David (GIS, Technology Services)
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Active Directory Schema incomplete? (and SUDOERS_TIMED attributes not working)

Thanks, I've made those fixes to the schema.ActiveDirectory file
in the sudo source repo.

I see that AD includes tenths of a second in its timetstamps.  Sudo
does not include fractional seconds when it constructs the time
filter, as it is optional, but perhaps this is causing problems.
You can try editing plugins/sudoers/ldap.c and changing the
"%Y%m%d%H%M%SZ" to "%Y%m%d%H%M%S.0Z" to see if that makes any
difference.  I recall that the Tivoli Directory Server required
that the seconds field be present, perhaps AD has a similar requirement
for tenths of a second.

 - todd

*********************************************************************************** 
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The 
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 350, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions. 
  
This e-mail message is confidential and for use by the addressee only. 
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. For the protection
of RBS group and its clients and customers, and in compliance with
regulatory requirements, the contents of both incoming and outgoing
e-mail communications, which could include proprietary information and
Non-Public Personal Information, may be read by authorised persons
within RBS group other than the intended recipient(s). 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward 
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com 

***********************************************************************************

More information about the sudo-users mailing list