[sudo-users] sudo driven by LDAP accepting any passwd

Wes Rogers wrogers at gmail.com
Fri Oct 20 16:30:43 EDT 2006

I've got a large setup of centralized sudo in LDAP.

Everything works fine, except I noticed today one very nasty problem.

If you are a user that is allowed sudoers access, you can type a
command that is permitted to you and if you type an incorrect passwd,
it proceeds anyway.

Has anyone came across this, and if so, what did I miss?  Here is some
examples of the setup :

dn: cn=defaults,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers
sudoOption: logfile=/var/log/sudolog
sudoOption: insults

dn: cn=testrole,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
cn: testrole
description: Testing
objectClass: top
objectClass: sudoRole
sudoCommand: ALL
sudoUser: +testusers
sudoHost: +testhosts

dn: cn=testusers,ou=Users,ou=Netgroups,ou=blah,dc=blah,dc=com
cn: testusers
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (,testuser,)
description: Testing Users

dn: cn=testhosts,ou=Hosts,ou=Netgroups,ou=blah,dc=blah,dc=com
cn: testhosts
description: Test Servers
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (testhost1,,,)

testhost1$ sudo su -
LDAP Config Summary
port         389
ldap_version 3
sudoers_base ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
binddn       cn=Auth,ou=Applications,ou=blah,dc=blah,dc=com
bindpw       blah
ssl          (no)
ldap_bind() ok
ldap sudoOption: 'ignore_local_sudoers'
ldap sudoOption: 'logfile=/var/log/sudolog'
ldap sudoOption: 'insults'
ldap search '(|(sudoUser=testuser)(sudoUser=%testgroup)(sudoUser=%testgroup)(sudoUser=ALL))'
ldap search 'sudoUser=+*'
ldap sudoUser netgroup '+testusers' ... MATCH!
ldap sudoHost netgroup '+testhosts' ... MATCH!
ldap sudoCommand 'ALL' ... MATCH!
Perfect Matched!
Password: <enter anything with keyboard>
[root at testhost ~]#

If I do NOT enter a passwd and just hit enter, it won't let me sudo.
But if I type correct/incorrect passwd, it lets me.

I'm also using the sudo.schema from


More information about the sudo-users mailing list