[sudo-users] sudo LDAP sudoUser enumeration
Josh Miller
joshua at itsecureadmin.com
Tue Dec 18 15:48:49 EST 2007
I am using sudo compiled from sudo-1.6.9p6 and having issues getting it
to work with LDAP entries on CentOS 4.
I am using winbind to enumerate groups from Active Directory with some
local groups (winbind auth works). When I issue 'sudo -l' with
sudo_debug set to 2, I see that a comparison is made by sudo against the
groups that I am a member of to the sudoUser groups that I have
configured in LDAP and the comparison fails, even though I have group
membership that should match. The test account in question is a member
of 30-45 groups.
[:user at host:] sudo -l
LDAP Config Summary
===================
uri ldaps://host1 ldaps://host2
ldap_version 3
sudoers_base ou=SUDOers,dc=example,dc=org
binddn (anonymous)
bindpw (anonymous)
bind_timelimit 15000
timelimit 15
ssl on
===================
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,
"/usr/share/ssl/certs/cacert.crt")
ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE, "HIGH:MEDIUM:+SSLv3:RSA")
ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT, 1)
ldap_set_option(LDAP_OPT_TIMELIMIT, 15)
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 15)
sudo: ldap_initialize(ld,ldaps://host1 ldaps://host2)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION, 3)
sudo: ldap_bind() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user)(...<many more groups>)
sudo: nothing found for '(|(sudoUser=user)(...<many more groups>)'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_check(49)=0x104
Password:
Password:
Password:
[:user at host:]
A subsequent ldapsearch on the sudouser in question returns a valid record.
Are there any known issues based on a maximum number of groups that a
user can be a member of or related issues to winbind or LDAP groups? I
have also tried this with another account who only has 12 groups without
success.
Thanks,
--
Joshua M. Miller - RHCE,VCP
More information about the sudo-users
mailing list