[sudo-users] sudo & LDAP

Doug Goldstein cardoe at gentoo.org
Tue Mar 6 10:06:23 EST 2007 

Hi all,

Currently I'm having an issue with sudo & ldap. I'm running on a Gentoo
system against OpenLDAP 2.3.30 and sudo-1.6.8_p12

The issue is that every user attempting to user sudo results in the
following in the logs:

[sudo] nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
....
[sudo] nss_ldap: could not search LDAP server - Server is unavailable

However my server is there an available. Every other use of nss_ldap is
working on that box. When the user attempts to run sudo they get the
following error:

sudo: uid 5000 does not exist in the passwd file!

However, running a simple "id" results in:

uid=5000(doug) gid=100(users) groups=100(users),500(svnusers)

Now Gentoo has sudo configure it's LDAP settings in /etc/ldap.conf.sudo
and I have the following configuration:

uri ldap://gravel.internal.company.com ldap://marble.internal.company.com
ldap_version 3
ssl start_tls
tls_cacertdir /etc/ssl/certs/
tls_checkpeer yes
sudoers_debug 2
sudoers_base ou=SUDOers,dc=company,dc=com

I ran the sudoers2ldif file and imported it into
ou=SUDOers,dc=company,dc=com. I also added an ACL to slapd that allows *
to read that ou.

Running sudo --help as root provides the following:

LDAP Config Summary
===================
uri          ldap://gravel.internal.company.com
ldap://marble.internal.company.com
ldap_version 3
sudoers_base ou=SUDOers,dc=company,dc=com
binddn       (anonymous)
bindpw       (anonymous)
bind_timelimit  30
timelimit    30
ssl          start_tls
===================
ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/ssl/certs/")
ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0x01)
ldap_set_option(LDAP_OPT_TIMELIMIT,0x1e)
setting bind_timelimit to 30
ldap_initialize(ld,ldap://gravel.internal.company.com
ldap://marble.internal.company.com)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_start_tls_s() ok
ldap_bind() ok
found:cn=defaults,ou=SUDOers,dc=company,dc=com
ldap search
'(|(sudoUser=root)(sudoUser=%root)(sudoUser=%root)(sudoUser=%bin)(sudoUser=%daemon)(sudoUser=%sys)(sudoUser=%adm)(sudoUser=%disk)(sudoUser=%wheel)(sudoUser=%floppy)(sudoUser=%dialout)(sudoUser=%tape)(sudoUser=%video)(sudoUser=ALL))'
ldap search 'sudoUser=+*'
user_matches=0
host_matches=0
sudo_ldap_check(0)=0x44
usage: sudo -K | -L | -V | -h | -k | -l | -v
usage: sudo [-HPSb] [-p prompt] [-u username|#uid]
            { -e file [...] | -i | -s | <command> }


So root appears to read the file and parse it properly, however the normal
users on the box do not provide any of that debugging info which makes me
believe it's not parsing the file at all.

If anyone has any insight or any suggestions it'd be much appreciated. The
issue lives in Gentoo's bugzilla at
http://bugs.gentoo.org/show_bug.cgi?id=107634

--
Doug Goldstein

More information about the sudo-users mailing list