[sudo-users] Sudo Integration with AD Issue - Sudo Debug Suggest it performs an LDAP Query but Doesn't
Ian Funk
ian.funk at disney.com
Tue Oct 9 17:04:45 EDT 2012
I'm working on a project to integrate Sudo with Active Directory and have run
into a brick wall. When using a Linux local user, sudo queries the Sudoers
container in Active Directory, finds the role and the result is a match.
Success:
[bobo at tn7sudoauth01 ~]$ sudo /usr/bin/id
sudo: ldap_sasl_bind_s() ok
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search '(|(sudoUser=bobo)(sudoUser=%bobo)(sudoUser=ALL))'
sudo: found:CN=bobo,OU=Sudoers,DC=example,DC=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand '/usr/bin/id' ... MATCH!
While using an Active Directory User sudo claims that it's doing the following
search:
sudo: ldap search '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
But tcpdump and a packet capture on the Domain Controller show that this LDAP
query is never being sent. The following two queries are being sent and
processed but not the one above.
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search 'sudoUser=+*'
Why is sudo sending the sudoUser query for a local but not Domain User? I'm
looking for a solution because it's a requirement that we use Active Directory
users and this is currently blocking us.
Failure:
[EXAMPLE\ifunktest at tn7sudoauth01 ~]$ sudo /usr/sbin/id
LDAP Config Summary
===================
uri ldap://windowsdc01.example.com
ldap_version 3
sudoers_base ou=Sudoers,dc=example,dc=com
binddn cn=_sudobind,ou=service_accounts,dc=example,dc=com
bindpw password
bind_timelimit 120000
timelimit 120
ssl off
===================
sudo: ldap_initialize(ld, ldap://windowsdc01.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
sudo: ldap_sasl_bind_s() ok
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x60
[sudo] password for EXAMPLE\ifunktest:
Running the same LDAP query via ldapsearch from the host and LDP on the Domain
Controller yield the expected results. I've changed the Domain and server
names in here for obvious reasons.
Thanks in Advance, Ian
More information about the sudo-users
mailing list