[sudo-users] Sudo Integration with AD Issue - Sudo Debug Suggest itperforms an LDAP Query but Doesn't
Martin, Jeff
Jeff.Martin at tais.toshiba.com
Wed Oct 10 10:04:50 EDT 2012
>I'm working on a project to integrate Sudo with Active Directory and have run
>into a brick wall.
check out powerbroker. intergrated sudo and AD authentication, plus mgmt of sudo rules from a central console with AD group/user support.
-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Ian Funk
Sent: Tuesday, October 09, 2012 2:05 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] Sudo Integration with AD Issue - Sudo Debug Suggest itperforms an LDAP Query but Doesn't
I'm working on a project to integrate Sudo with Active Directory and have run
into a brick wall. When using a Linux local user, sudo queries the Sudoers
container in Active Directory, finds the role and the result is a match.
Success:
[bobo at tn7sudoauth01 ~]$ sudo /usr/bin/id
sudo: ldap_sasl_bind_s() ok
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search '(|(sudoUser=bobo)(sudoUser=%bobo)(sudoUser=ALL))'
sudo: found:CN=bobo,OU=Sudoers,DC=example,DC=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand '/usr/bin/id' ... MATCH!
While using an Active Directory User sudo claims that it's doing the following
search:
sudo: ldap search '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
But tcpdump and a packet capture on the Domain Controller show that this LDAP
query is never being sent. The following two queries are being sent and
processed but not the one above.
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search 'sudoUser=+*'
Why is sudo sending the sudoUser query for a local but not Domain User? I'm
looking for a solution because it's a requirement that we use Active Directory
users and this is currently blocking us.
Failure:
[EXAMPLE\ifunktest at tn7sudoauth01 ~]$ sudo /usr/sbin/id
LDAP Config Summary
===================
uri ldap://windowsdc01.example.com
ldap_version 3
sudoers_base ou=Sudoers,dc=example,dc=com
binddn cn=_sudobind,ou=service_accounts,dc=example,dc=com
bindpw password
bind_timelimit 120000
timelimit 120
ssl off
===================
sudo: ldap_initialize(ld, ldap://windowsdc01.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
sudo: ldap_sasl_bind_s() ok
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x60
[sudo] password for EXAMPLE\ifunktest:
Running the same LDAP query via ldapsearch from the host and LDP on the Domain
Controller yield the expected results. I've changed the Domain and server
names in here for obvious reasons.
Thanks in Advance, Ian
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
________________________________
This message may contain confidential information. If you are not the intended recipient of this e-mail, do not disseminate, distribute or copy this e-mail and delete this e-mail from your system.
More information about the sudo-users
mailing list