[sudo-users] sudo LDAP sudoUser enumeration

Josh Miller joshua at itsecureadmin.com
Tue Dec 18 15:48:49 EST 2007

I am using sudo compiled from sudo-1.6.9p6 and having issues getting it 
to work with LDAP entries on CentOS 4.

I am using winbind to enumerate groups from Active Directory with some 
local groups (winbind auth works).  When I issue 'sudo -l' with 
sudo_debug set to 2, I see that a comparison is made by sudo against the 
groups that I am a member of to the sudoUser groups that I have 
configured in LDAP and the comparison fails, even though I have group 
membership that should match.  The test account in question is a member 
of 30-45 groups.

[:user at host:] sudo -l
LDAP Config Summary
uri          ldaps://host1 ldaps://host2
ldap_version 3
sudoers_base ou=SUDOers,dc=example,dc=org
binddn       (anonymous)
bindpw       (anonymous)
bind_timelimit  15000
timelimit    15
ssl          on
ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT, 1)
ldap_set_option(LDAP_OPT_TIMELIMIT, 15)
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 15)
sudo: ldap_initialize(ld,ldaps://host1 ldaps://host2)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION, 3)
sudo: ldap_bind() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user)(...<many more groups>)
sudo: nothing found for '(|(sudoUser=user)(...<many more groups>)'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_check(49)=0x104
[:user at host:]

A subsequent ldapsearch on the sudouser in question returns a valid record.

Are there any known issues based on a maximum number of groups that a 
user can be a member of or related issues to winbind or LDAP groups?  I 
have also tried this with another account who only has 12 groups without 


Joshua M. Miller - RHCE,VCP

More information about the sudo-users mailing list