[sudo-users] Problem with Sudo-LDAP
Jayson Henkel
jhenkel at sterlingcrane.com
Thu Mar 23 11:47:25 EST 2006
Huibert,
Thanks for the info,
Yeah the (ALL) is the frustrated result of me utilizing the sudoers2ldif
script, in hopes it was something wrong with my config there. I did do
some reading that suggested that conversion was a "bug" in sudoers2ldif.
Is the original author of the sudo-ldap part of this list, I've tried to
reach him on a couple of addresses with my issue to no avail.
I guess further to my issue, if it is indeed an issue with TLS it should
be rectified with the change to the uri. However, it seems I'm still
faced with the nss mapping issue.
On Thu, 2006-23-03 at 17:39 +0100, Huibert.Kivits at mail.ing.nl wrote:
> Hi Jayson,
>
> Well, to be honest, I really don't know if sudo-ldap supports the TLS_CACERT option. In the end, I'm just a sudo administrator, not a developer. But if sudo-ldap does the TLS_CACERT option, there might still be an issue with regard to the OS...
>
> Something else: the debugging information shows the following line:
> ldap sudoCommand '(ALL) ALL' ... Not
>
> What's mentioned in LDAP? The following line?
> sudoCommand: (ALL) ALL
> That line should be as follows:
> sudoCommand: ALL
>
> Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
>
>
> Huibert Kivits
> OPS&ITB/WPS/UAS/MSO UNIX
> Locatiecode NA 00.92
> T (020) 563 73 33, F (020) 563 70 02
> E Huibert.Kivits at mail.ing.nl
>
> "...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
> Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4
>
>
>
> -----Oorspronkelijk bericht-----
> Van: Jayson Henkel [mailto:jhenkel at sterlingcrane.com]
> Verzonden: donderdag 23 maart 2006 17:13
> Aan: Kivits, H.P. (Huibert)
> CC: sudo-users at sudo.ws
> Onderwerp: RE: [sudo-users] Problem with Sudo-LDAP
>
>
> Huibert,
>
> Indeed that is where I've focused my attentions on. It doesn't seem like it does modify the behaviour.
>
> Please see the following when I've made the change from uri: ldaps:// to
> ldap://localhost:
>
>
> However as I've mentioned before with an ldapsearch -x -ZZ -h ldap.sterlingcrane.ca
> and with an ldapsearch -x -H ldaps://ldap.sterlingcrane.ca they both return searches properly. However, now that you mention it, I suspect it might be because of the TLS_CACERT option. I wonder if perhaps sudo-ldap doesn't yet accept the TLS_CACERT directive?
>
>
> LDAP Config Summary
> ===================
> uri ldap://localhost
> ldap_version 3
> sudoers_base ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
> binddn (anonymous)
> bindpw (anonymous)
> ssl (no)
> ===================
> ldap_initialize(ld,ldap://localhost)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_bind() ok found:cn=defaults,ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
> ldap search '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%
> root)(sudoUser=ALL))' found:cn=root,ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
> ldap sudoHost 'ALL' ... MATCH!
> ldap sudoCommand '(ALL) ALL' ... not
> ldap search 'sudoUser=+*'
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(0)=0x04
> ruto:~# d
> ruto:~# logout
> ruto:~# logout
> jhenkel at ruto:/usr/share/doc/sudo-ldap$ sudo su -
> sudo: uid 1039 does not exist in the passwd file! jhenkel at ruto:/usr/share/doc/sudo-ldap$ sendmail: fatal: no login name found for user ID 1039
>
> On Thu, 2006-23-03 at 17:03 +0100, Huibert.Kivits at mail.ing.nl wrote:
> > Hi Jayson,
> >
> > In the LDAP Config Summary, it says:
> > ssl (no)
> > Whereas later, you mention that LDAPS is used.
> > That sounds a bit like a contradiction.
> >
> > Is SSL/LDAPS used succesfully if a user logs into these systems? If
> > that's the case, encryption should work.
> >
> > You might consider turning off SSL for SUDO traffic. It's nice, but
> > AFAIK, only the LDAP client connection sends passwords, not the SUDO
> > client connection.
> >
> > At my company, SSL is used for encrypting the LDAP client connection
> > (for user authentication), not for the sudo connection.
> >
> > BTW: do not exclude the possibility that it's just a bug in your
> > software. On Solaris 8 for example, it took numerous updates and fixes
> > before the LDAP client finally supported SSL correctly. You may want
> > to check with your supplier, if you're sure there's no mistake in your
> > configuration.
> >
> > Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen
> > / Med vänliga hälsningar / nuosirdziausi linkejimai,
> >
> >
> > Huibert Kivits
> > ING
> >
> > "...all too often, when organizations develop information security
> > programs, they treat security issues as a simple 'check-box' on the
> > list of required corporate functions." Richard Forno & Kenneth R van
> > Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4
> >
> >
> >
> > -----Oorspronkelijk bericht-----
> > Van: sudo-users-bounces at courtesan.com
> > [mailto:sudo-users-bounces at courtesan.com] Namens Jayson Henkel
> > Verzonden: dinsdag 21 maart 2006 17:15
> > Aan: sudo-users at sudo.ws
> > Onderwerp: [sudo-users] Problem with Sudo-LDAP
> >
> >
> >
> > I'm currently
> > trying to implement the sudo-ldap modification to sudo. This
> > will be a
> > big benefit to myself. However, I am having some difficulties
> > implementing it.
> >
> > I have turned debugging on and get the following information
> > when I run
> > sudo from root:
> >
> > LDAP Config Summary
> > ===================
> > uri ldaps://ldap.sterlingcrane.ca
> > ldaps://ldap2.sterlingcrane.ca
> > ldap_version 3
> > sudoers_base ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
> > binddn (anonymous)
> > bindpw (anonymous)
> > ssl (no)
> > ===================
> > ldap_initialize(ld,ldaps://ldap.sterlingcrane.ca
> > ldaps://ldap2.sterlingcrane.ca)
> > ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> > ldap_simple_bind_s()=81 : Can't contact LDAP server
> > usage: sudo -K | -L | -V | -h | -k | -l | -v
> > usage: sudo [-HPSb] [-p prompt] [-u username|#uid]
> > { -e file [...] | -i | -s | <command> }
> >
> >
> >
> > When I run it from a normal user I receive the following.
> > jhenkel at ruto:/usr/share/doc/sudo-ldap$ sudo passwd foo
> > sudo: uid 1039 does not exist in the passwd file!
> > jhenkel at ruto:/usr/share/doc/sudo-ldap$ sendmail: fatal: no login
> > name
> > found for user ID 1039
> >
> >
> >
> > However, please review the following:
> >
> > jhenkel at ruto:/usr/share/doc/sudo-ldap$ getent passwd 1039
> > jhenkel:x:1039:1000:Jayson Henkel:/home/jhenkel:/bin/bash
> >
> > Keep in mind, all my user information is in ldap and no files
> > are local,
> > therefor ldap is working. See below for examples of both TLS and
> > LDAPS
> >
> > jhenkel at ruto:/usr/share/doc/sudo-ldap$ ldapsearch -x -ZZ -h
> > ldap.sterlingcrane.ca uid=jhenkel dn
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <> with scope sub
> > # filter: uid=jhenkel
> > # requesting: dn
> > #
> >
> > # jhenkel, staff, people, sterlingcrane.ca
> > dn: uid=jhenkel,ou=staff,ou=people,dc=sterlingcrane,dc=ca
> >
> > # search result
> > search: 3
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> > jhenkel at ruto:/usr/share/doc/sudo-ldap$ ldapsearch -x -H
> > ldaps://ldap.sterlingcrane.ca uid=jhenkel dn
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <> with scope sub
> > # filter: uid=jhenkel
> > # requesting: dn
> > #
> >
> > # jhenkel, staff, people, sterlingcrane.ca
> > dn: uid=jhenkel,ou=staff,ou=people,dc=sterlingcrane,dc=ca
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> > jhenkel at ruto:/usr/share/doc/sudo-ldap$
> >
> >
> > When I sniff traffic on the ldap interface, I can clearly see
> > that when
> > I type sudo that ldap traffic is generated on the ldaps (636)
> > port.
> >
> >
> > Here's my ldap.conf too in case it helps.
> >
> >
> >
> > BASE dc=sterlingcrane,dc=ca
> > URI ldaps://ldap.sterlingcrane.ca
> > ldaps://ldap2.sterlingcrane.ca
> > #URI ldap://localhost
> > TLS_CACERT /etc/ssl/certs/CA.crt
> > #TLS_REQCERT allow
> >
> > #SIZELIMIT 12
> > #TIMELIMIT 15
> > #DEREF never
> >
> > #SUDO Control
> > sudoers_base ou=sudoers,ou=roles,dc=sterlingcrane,dc=ca
> > sudoers_debug 2
> >
> >
> >
> >
> > Can you offer any advice on how to resolve this?
> > Thanks in advance..
--
Regards,
Jayson D. Henkel
Systems Manager
(Tel: +1 (780) 440-4434)
(Fax: +1 (780) 440-1951)
(Cell: +1 (780) 886-8941)
(E-Mail: jhenkel at sterlingcrane.com)
Sterling Crane
P.O. Box 8610. Station South
Edmonton, Alberta
Canada. T6E 6R2
------------------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. If you are not the intended recipient of this message you are
hereby notified that any use, review, retransmission ,
dissemination,distribution, reproduction or any action taken in reliance
upon this message is prohibited. If you received this in error, please
contact the sender and delete the material from any computer. Any views
expressed in this message are those of the individual sender and may not
necessarily reflect the views of the company.
More information about the sudo-users
mailing list