[sudo-users] AIX sudo - Unable to match host LDAP netgroup.
Palmer, Hil S.
Hilary.Palmer at unitypoint.org
Wed Mar 30 15:59:47 MDT 2022
Hello,
I have been fighting this for days now, and I know I have to be missing something dumb.
Versions: AIX 7.2, openldap-2.4.58-2.ppc, sudo-1.9.5p2-1.ppc
If I enter the server name in for the sudoHost it works, but when I attempt to use the netgroup name it will not work.
Here is my sudoer role...
dn: cn=palmerhsrole,ou=sudoers,dc=XXXXXX
objectClass: sudoRole
objectClass: top
cn: palmerhsrole
sudoUser: PalmerHS
sudoHost: +hgrp_test
sudoCommand: /bin/ls
I can resolve the netgroup I want via lsldap...
hiabld1: # lsldap -a netgroup hgrp_test
dn: cn=hgrp_test,ou=netgroups,dc=XXXXXX
objectClass: nisNetgroup
objectClass: top
cn: hgrp_test
msSFU30Name: hgrp_test
nisNetgroupTriple: (hiabld1,,)
description: Hostgroup - Test
Added the following to /etc/netsvc.conf...
sudoers = files, ldap
Updated my openldap config file with...
TLS_CACERTDIR /etc/security/ldap/client_certs
TLS_CHECKPEER no
TLS_REQCERT never
URI ldaps://FQDN_ADDRESS
BASE dc=XXXXXX
BINDDN CN=saUnixBind,OU=Account,DC=XXXXXX
BINDPW SECRET
SUDOERS_BASE ou=sudoers,dc=XXXXXX
NETWORK_TIMEOUT 5
TIMELIMIT 120
SSL yes
** I have also tried adding: NETGROUP_BASE ou=netgroups,dc=XXXXXX **
I also tried updating /usr/lib/security/methods.cfg and adding the following to the LDAP section...
options = netgroup
Snippets from sudo debug file....
Mar 30 16:21:55 sudo[3015636] <- sudo_ldap_build_pass1 @ ./ldap.c:1079 := (&(objectClass=sudoRole)(|(sudoUser=PalmerHS)(sudoUser=#610171)(sudoUser=%IT_AIX
_Admin)(sudoUser=%#157329)(sudoUser=ALL)))
Mar 30 16:21:55 sudo[3015636] ldap search '(&(objectClass=sudoRole)(|(sudoUser=PalmerHS)(sudoUser=#610171)(sudoUser=%IT_AIX_Admin)(sudoUser=%#157329)(sudo
User=ALL)))'
Mar 30 16:21:55 sudo[3015636] searching from base 'ou=sudoers,dc=unixldap,dc=ihs,dc=org'
Mar 30 16:21:55 sudo[3015636] adding search result
Mar 30 16:21:55 sudo[3015636] result now has 2 entries
Mar 30 16:21:55 sudo[3015636] <- sudo_ldap_get_first_rdn @ ./ldap.c:384 := palmerhsrole
Mar 30 16:21:55 sudo[3015636] -> hostlist_matches_int @ ./match.c:294
Mar 30 16:21:55 sudo[3015636] -> host_matches @ ./match.c:328
Mar 30 16:21:55 sudo[3015636] -> netgr_matches @ ./match.c:645
Mar 30 16:21:55 sudo[3015636] -> sudo_getdomainname @ ./match.c:590
Mar 30 16:21:55 sudo[3015636] <- sudo_getdomainname @ ./match.c:622 := (null)
Mar 30 16:21:55 sudo[3015636] netgroup hgrp_test matches (hiabld1|hiabld1, , ): false @ netgr_matches() ./match.c:671
Mar 30 16:21:55 sudo[3015636] <- netgr_matches @ ./match.c:674 := false
Mar 30 16:21:55 sudo[3015636] <- host_matches @ ./match.c:360 := -1
Mar 30 16:21:55 sudo[3015636] <- hostlist_matches_int @ ./match.c:301 := -1
Mar 30 16:21:55 sudo[3015636] <- display_priv_short @ ./parse.c:454 := 1
Since the debug does not display the actual search and results for the host netgroup... All I can figure it that either it is not getting the results from LDAP that it needs to do the match check. I do not know if this is an openldap function or something passed to the OS to return the results of the netgroup. Could it be that AIX is expecting the msSFU30Name attribute with in the netGroup object that is throwing things?
Thank you,
Hil
This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. sections 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.
More information about the sudo-users
mailing list