[sudo-users] Netgroup issue with LDAP

Barron, Danny danny.barron at eds.com
Thu Nov 15 09:50:37 EST 2007


I'm running on Redhat, not that this should make a lot of difference.
The hostname I'm testing from is jc and that host is NOT a member of
pincov_hosts netgroup, however, it passes as a match to that host
netgroup (as below):
sudo2: ldap_bind() ok
sudo2: found:cn=defaults,ou=sudoers,dc=sabre,dc=com
sudo2: ldap sudoOption: 'shell_noargs'
sudo2: ldap search
'(|(sudoUser=test2)(sudoUser=%ueng)(sudoUser=%ueng)(sudoUser=
%pincov)(sudoUser=%iss)(sudoUser=ALL))'
sudo2: found:cn=%iss,ou=sudoers,dc=sabre,dc=com
sudo2: ldap sudoHost 'ALL' ... MATCH!
sudo2: found:cn=ueng,ou=Sudoers,dc=sabre,dc=com
sudo2: ldap sudoHost 'ALL' ... MATCH!
sudo2: found:cn=pincov-hybfunc,ou=Sudoers,dc=sabre,dc=com
sudo2: ldap sudoHost 'ALL' ... MATCH!
sudo2: found:cn=test2, ou=sudoers, dc=sabre,dc=com
sudo2: ldap sudoHost '+pincov_hosts' ... MATCH!
sudo2: ldap search 'sudoUser=+*'
sudo2: found:cn=eds_infra_support, ou=sudoers, dc=sabre,dc=com
sudo2: ldap sudoUser netgroup '+eds_infra_support' ... not
sudo2: user_matches=-1
sudo2: host_matches=-1
sudo2: sudo_ldap_check(49)=0x02

IE, as proof.
$ getent netgroup pincov_hosts
pincov_hosts          (ttfhli005, , sabre.com) (ttfhli006, , sabre.com)
( , ttfh
li007, sabre.com) (ttfhli008, , sabre.com) (ttfhli009, , sabre.com)
(ttfhli010, 
, sabre.com)

Anyone have words of wisdom or perhaps a patch they've developed to
correct this abberation?  In my environment, there will be hundreds of
hosts in a netgroup, I'd rather manage them there  (for access control
issues as well as SUDO), than having to add hundreds of sudohost entries
to commands in the LDAP.

Thanks for taking the time to read my email.
Danny Barron



More information about the sudo-users mailing list