[sudo-users] Re: [RESOLVED] Re: Sudo and LDAP

Aaron Spangler aaron777 at gmail.com
Thu Aug 25 09:36:21 EDT 2005 

Jay,

Thanks for all your help.  I'm glad you found the cause.
Sounds like the sudoers2ldif program did not deal with the (ALL)
correctly.  My fault.  I wrote sudoers2ldif.  My bug.

The attribute sudoCommand should either be a full pathname (such as
/usr/bin/touch) or the word "ALL" (upper case -without parens).

Also I would love a .deb file if you get a chance!  Do you know whom
we should talk with in getting sudo --with-ldap baked into Debian?

As for the ldap config files, here is the scoop.

On non-debian machines: (Such as Solaris, AIX, HP-UX, RedHat, Suse...)

/etc/ldap.conf  - Shared config file used by pam_ldap, nss_ldap, and sudo
/etc/ldap/ldap.conf or /etc/openldap/ldap.conf  - Conf file used as defaults for
          OpenLDAP Client SDK

On debian machines, they chose to split them out.  I don't understand
why, but thats there perogative.  I guess so they could auth at one
place and get name service from a second.

/etc/pam_ldap.conf - Conf file used by pam_ldap
/etc/libnss-ldap.conf - Similar conf file used by nss_ldap
/etc/sudo_ldap.conf - Does not yet exist yet since Debian does not yet package
             Sudo --with-ldap yet.
/etc/ldap/ldap.conf - Conf file used as defaults for OpenLDAP Client SDK

Note that when pam_ldap/nss_ldap/sudo is compiled against the OpenLDAP
client SDK, many defaults (but certainly not all) can be set in
/etc/ldap/ldap.conf.

Also note that the syntax for /etc/ldap/ldap.conf is somewhat
different than the ones documented for Sudo/pam_ldap/nss_ldap.  But
basic information such as the default ldap server can be put here.

Clear as mud, right?

 - Aaron

On 8/25/05, Jay Ar <jayarftrd at yahoo.fr> wrote:
> hello again,
> 
> in looking in some code, I found what was causing the
> problem.
> actually, in the file ldap.c in the sudo distribution,
> the code searches for a matching command in the entry
> sudoCommand in ldap. so far so good.
> but the bug is that when it tries to determine whether
> the user has the ALL privileges, it does this:
> 
> (line 278)
> ***************ldap.c*************
> [...]
>     /* Match against ALL ? */
>     if (!strcasecmp(*p,"ALL")) {
>       ret=1;
>       if (ldap_conf.debug>1) printf(" MATCH!\n");
>       continue;
>     }
> ***********************************
> 
> So what it basically does, is that it matches the
> sudoCommand against the letters ALL.
> knowing that in the /etc/sudoers, that would be "(ALL)
> ALL" and not just "ALL", this condition will never
> match.
> indeed, the sudoers2ldif script writes "(ALL) ALL" and
> not just "ALL" to the ldif file.
> 
> so when I changed the "(ALL) ALL" to just "ALL" in my
> sudoCommand attribute, it worked just fine.
> 
> I hope this mail helps..
> 
> anyway, if you are interested in having the debian
> package of the sudo compiled with ldap, please let me
> know. I'll be glad to provide it to you once I've
> finished building it.
> 
> thanks again,
> Jay Ar
> 
> --- Aaron Spangler <aaron777 at gmail.com> a écrit :
> 
> > Sounds like Sudo is reading a different ldap.conf.
> > Try running strings on your sudo binary to find
> > where the configuration file is.
> >
> > # strings < /usr/bin/sudo | grep ldap | grep /
> >
> > If you don't get anything related to ldap, then your
> > version of sudo
> > was not compiled --with-ldap.
> >
> > Try recompiling sudo --with-ldap --with-pam if this
> > is the case.
> >
> > The default sudo ldap configuration file is
> > /etc/ldap.conf.
> >
> > Hope this helps.
> >
> > - Aaron
> >
> >
> > On 8/24/05, Jay Ar <jayarftrd at yahoo.fr> wrote:
> > > hello Aaron,
> > >
> > > thanks for your quick reply!
> > > actually, you helped me at least know that the
> > > authentication part is working just fine on my
> > > machines.
> > >
> > > nevertheless, I still have problems replacing
> > > /etc/sudoers with ldap. sudo-l returns only the
> > > entries from the local /etc/sudoers.
> > > actually, I used the sudoers2ldif script to create
> > an
> > > LDIF file that I imported into my ldap server.
> > >
> > > in my /etc/ldap/ldap.conf (I'm on debian, it's the
> > > equivalent of /etc/ldap.conf), I have these
> > entries:
> > >
> > > ***ldap.conf************
> > > URI     ldap://my_ldap_server/
> > > sudoers_base
> > ou=SUDOers,dc=my,dc=base,dc=blablabla
> > > sudoers_debug 1
> > > ************************
> > >
> > > my /etc/pam.d/sudo looks like this:
> > >
> > > *********sudo**********
> > > auth    sufficient       pam_ldap.so
> > > account    sufficient     pam_ldap.so
> > > password   sufficient     pam_ldap.so
> > > session    sufficient     pam_ldap.so
> > > **********************
> > >
> > > any idea as to why this could be happening? I
> > mean,
> > > authentication works fine, why shouldn't the sudo
> > > roles issue too?
> > > if I get this to work, I will be happy to privide
> > you
> > > with the appropriate debian package.
> > >
> > > Jay
> > >
> > >
> > > --- Aaron Spangler <aaron777 at gmail.com> a écrit :
> > >
> > > > Hi Jay,
> > > >
> > > > Sudo uses LDAP for two purposes:
> > > > 1) Authentication (is the password that you
> > typed
> > > > the correct password?)
> > > > 2) Sudo Roles (the equivilent of stuffing
> > > > /etc/sudoers into a container in LDAP)
> > > >
> > > > The two purposes are not related.  So lets deal
> > with
> > > > them one at a time.
> > > >
> > > > 1) Authentication.
> > > > It turns out that for authentication Sudo does
> > not
> > > > talk with ldap
> > > > directly.  Rather it uses PAM.  PAM then talks
> > with
> > > > LDAP via pam_ldap.
> > > >  So sudo -V is supposed to say 'pam'.  Also your
> > > > /etc/pam.d/sudo file
> > > > points to pam_ldap.  Pam_ldap reads
> > /etc/ldap.conf
> > > > to locate your ldap
> > > > server.
> > > >
> > > >   $ sudo -V|head
> > > >   Sudo version 1.6.8p9
> > > >   Authentication methods: 'pam'
> > > >
> > > > So if Sudo accepts your password as it is in
> > LDAP,
> > > > then this part is
> > > > working.  If not, review your settings in
> > > > /etc/ldap.conf.  Pam_ldap is
> > > > a component found in http://www.padl.com
> > > > Strictly speaking pam_ldap is supported by its
> > own
> > > > mailing list, so if
> > > > you cant get this part working I recommend
> > checking
> > > > out the padl.com
> > > > website and subscribe to the mailing list there.
> > > >
> > > > 2) Sudo Roles.
> > > > This is the part where Sudo talks with the LDAP
> > > > server directly.  Note
> > > > that this is optional.  Many folks are happy
> > with
> > > > storing all the sudo
> > > > information in /etc/sudoers.  But if you want to
> > do
> > > > it, use the
> > > > sudoers2ldif script to create an LDIF file that
> > can
> > > > be imported into
> > > > your LDAP server.  Note that sudo also reads
> > > > /etc/ldap.conf to locate
> > > > your ldap server.
> > > >
> > > > If you do a 'sudo -l' and it returns roles
> > listed
> > > > from LDAP, then this
> > > > part is working
> > > >
> > > > By default sudo looks for roles in LDAP first
> > and if
> > > > it does not find
> > > > a match it then checks /etc/sudoers.  If you
> > want to
> > > > turn off
> > > > /etc/sudoers altogether, adding this attribute
> > to
> > > > your object (named
> > > > cn=defaults) in the sudoers container.
> > > >
> > > > cn=defaults, ou=sudoers, ou=xxx,  ...
> > > > ...
> > > > sudoOption: ignore_local_sudoers
> > > >
> > > > The ignore_local_sudoers option tells sudo to
> > not
> > > > look for an
> > > > /etc/sudoers file at all.
> > > >
> > > >
> > > > I hope this information helps.  Please let me
> > know
> > > > if I can provide more.
> > > >
> > > >  -Aaron
> > > >
> > > > On 8/24/05, Jay Ar <jayarftrd at yahoo.fr> wrote:
> > > > > hello,
> > > > >
> > > > > I have an ldap server (tls) and would like to
> > > > bring
> > > > > sudo to work with it. that means, sudo would
> > no
> > > > longer
> > > > > look in /etc/sudoers, but in my ldap server.
> > > > > Now I have followed the instructions on
> > > > > http://www.sudo.ws/sudo/readme_ldap.html, but
> > to
> > > > no
> > > > > vail.. although the command sudo -V|head tells
> > me
> > > > that
> > > > > sudo is using pam to authenticate:
> > > > > ******************
> > > > > # sudo -V|head
> > > > >
> > > > > Sudo version 1.6.8p9
> > > > >
> > > > > Authentication methods: 'pam'
> > > > > Syslog facility if syslog is being used for
> > > > logging:
> > > > > local2
> > > > > Syslog priority to use when user authenticates
> > > > > successfully: notice
> > > > > Syslog priority to use when user authenticates
> > > > > unsuccessfully: alert
> > > > > Send mail if the user is not in sudoers
> > > > > Lecture user the first time they run sudo
> > > > > Require users to authenticate by default
> > > > > Root may run sudo
> > > > > ********************
> > > > >
> > > > > my /etc/pam.d/sudo looks like this:
> > > > >
> > > > > auth    required       pam_ldap.so
> >
> === message truncated ===
> 
> 
> 
> 
> 
> 
> 
> ___________________________________________________________________________
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
> Téléchargez cette version sur http://fr.messenger.yahoo.com
>

More information about the sudo-users mailing list