[sudo-users] sudo driven by LDAP accepting any passwd

Michael Potter pottmi at gmail.com
Fri Oct 20 22:13:23 EDT 2006


Wes,

A very nasty problem indeed.  I don't know much about ldap itself, but I had
success looking at the sudo log and the syslog to track down authentication
problems in the past.  On my mac the authentication subsystem has it's own
logs that intermix with the sudo entries in syslog.  That made it easy to
see what was wrong.

Good luck,  please report back what you find to be the solution.

-- 
Michael Potter

On 10/20/06, Wes Rogers <wrogers at gmail.com> wrote:
>
> I've got a large setup of centralized sudo in LDAP.
>
> Everything works fine, except I noticed today one very nasty problem.
>
> If you are a user that is allowed sudoers access, you can type a
> command that is permitted to you and if you type an incorrect passwd,
> it proceeds anyway.
>
> Has anyone came across this, and if so, what did I miss?  Here is some
> examples of the setup :
>
> dn: cn=defaults,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: defaults
> description: Default sudoOption's go here
> sudoOption: ignore_local_sudoers
> sudoOption: logfile=/var/log/sudolog
> sudoOption: insults
>
> dn: cn=testrole,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> cn: testrole
> description: Testing
> objectClass: top
> objectClass: sudoRole
> sudoCommand: ALL
> sudoUser: +testusers
> sudoHost: +testhosts
>
> dn: cn=testusers,ou=Users,ou=Netgroups,ou=blah,dc=blah,dc=com
> cn: testusers
> objectClass: nisNetgroup
> objectClass: top
> nisNetgroupTriple: (,testuser,)
> description: Testing Users
>
> dn: cn=testhosts,ou=Hosts,ou=Netgroups,ou=blah,dc=blah,dc=com
> cn: testhosts
> description: Test Servers
> objectClass: nisNetgroup
> objectClass: top
> nisNetgroupTriple: (testhost1,,,)
>
> testhost1$ sudo su -
> LDAP Config Summary
> ===================
> host         10.0.0.1 10.0.0.2
> port         389
> ldap_version 3
> sudoers_base ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> binddn       cn=Auth,ou=Applications,ou=blah,dc=blah,dc=com
> bindpw       blah
> ssl          (no)
> ===================
> ldap_init(10.0.0.1 10.0.0.2,389)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_bind() ok
> found:cn=defaults,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> ldap sudoOption: 'ignore_local_sudoers'
> ldap sudoOption: 'logfile=/var/log/sudolog'
> ldap sudoOption: 'insults'
> ldap search
> '(|(sudoUser=testuser)(sudoUser=%testgroup)(sudoUser=%testgroup)(sudoUser=ALL))'
> ldap search 'sudoUser=+*'
> found:cn=testrole,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> ldap sudoUser netgroup '+testusers' ... MATCH!
> ldap sudoHost netgroup '+testhosts' ... MATCH!
> ldap sudoCommand 'ALL' ... MATCH!
> Perfect Matched!
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(0)=0x02
> Password: <enter anything with keyboard>
> [root at testhost ~]#
>
> If I do NOT enter a passwd and just hit enter, it won't let me sudo.
> But if I type correct/incorrect passwd, it lets me.
>
> I'm also using the sudo.schema from
> http://www.courtesan.com/sudo/readme_ldap.html
>
> Thanks,
> Wes
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>



More information about the sudo-users mailing list