[sudo-users] sudo LDAP sudoUser enumeration
joshua at itsecureadmin.com
Tue Dec 18 15:48:49 EST 2007
I am using sudo compiled from sudo-1.6.9p6 and having issues getting it
to work with LDAP entries on CentOS 4.
I am using winbind to enumerate groups from Active Directory with some
local groups (winbind auth works). When I issue 'sudo -l' with
sudo_debug set to 2, I see that a comparison is made by sudo against the
groups that I am a member of to the sudoUser groups that I have
configured in LDAP and the comparison fails, even though I have group
membership that should match. The test account in question is a member
of 30-45 groups.
[:user at host:] sudo -l
LDAP Config Summary
uri ldaps://host1 ldaps://host2
sudo: ldap_initialize(ld,ldaps://host1 ldaps://host2)
sudo: ldap_bind() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=user)(...<many more groups>)
sudo: nothing found for '(|(sudoUser=user)(...<many more groups>)'
sudo: ldap search 'sudoUser=+*'
[:user at host:]
A subsequent ldapsearch on the sudouser in question returns a valid record.
Are there any known issues based on a maximum number of groups that a
user can be a member of or related issues to winbind or LDAP groups? I
have also tried this with another account who only has 12 groups without
Joshua M. Miller - RHCE,VCP
More information about the sudo-users