[sudo-users] Netgroup issue with LDAP

Wes Rogers wrogers at gmail.com
Wed Nov 21 12:50:39 EST 2007

Same thing for me.

ldap_bind() ok
ldap sudoOption: 'ignore_local_sudoers'
ldap sudoOption: 'logfile=/var/log/sudolog'
ldap search '(|(sudoUser=beavis)(sudoUser=%example)(sudoUser=%example)(sudoUser=ALL))'
ldap search 'sudoUser=+*'
ldap sudoUser netgroup '+hostops' ... MATCH!
ldap sudoHost '+allhosts' ... MATCH!
User beavis may run the following commands on this host:

LDAP Role: beavis

It doesn't even TRY the host netgroup, and on top of that, the
hostname that this was run on isn't even in "allhosts".


On Nov 15, 2007 9:50 AM, Barron, Danny <danny.barron at eds.com> wrote:
> I'm running on Redhat, not that this should make a lot of difference.
> The hostname I'm testing from is jc and that host is NOT a member of
> pincov_hosts netgroup, however, it passes as a match to that host
> netgroup (as below):
> sudo2: ldap_bind() ok
> sudo2: found:cn=defaults,ou=sudoers,dc=sabre,dc=com
> sudo2: ldap sudoOption: 'shell_noargs'
> sudo2: ldap search
> '(|(sudoUser=test2)(sudoUser=%ueng)(sudoUser=%ueng)(sudoUser=
> %pincov)(sudoUser=%iss)(sudoUser=ALL))'
> sudo2: found:cn=%iss,ou=sudoers,dc=sabre,dc=com
> sudo2: ldap sudoHost 'ALL' ... MATCH!
> sudo2: found:cn=ueng,ou=Sudoers,dc=sabre,dc=com
> sudo2: ldap sudoHost 'ALL' ... MATCH!
> sudo2: found:cn=pincov-hybfunc,ou=Sudoers,dc=sabre,dc=com
> sudo2: ldap sudoHost 'ALL' ... MATCH!
> sudo2: found:cn=test2, ou=sudoers, dc=sabre,dc=com
> sudo2: ldap sudoHost '+pincov_hosts' ... MATCH!
> sudo2: ldap search 'sudoUser=+*'
> sudo2: found:cn=eds_infra_support, ou=sudoers, dc=sabre,dc=com
> sudo2: ldap sudoUser netgroup '+eds_infra_support' ... not
> sudo2: user_matches=-1
> sudo2: host_matches=-1
> sudo2: sudo_ldap_check(49)=0x02
> IE, as proof.
> $ getent netgroup pincov_hosts
> pincov_hosts          (ttfhli005, , sabre.com) (ttfhli006, , sabre.com)
> ( , ttfh
> li007, sabre.com) (ttfhli008, , sabre.com) (ttfhli009, , sabre.com)
> (ttfhli010,
> , sabre.com)
> Anyone have words of wisdom or perhaps a patch they've developed to
> correct this abberation?  In my environment, there will be hundreds of
> hosts in a netgroup, I'd rather manage them there  (for access control
> issues as well as SUDO), than having to add hundreds of sudohost entries
> to commands in the LDAP.
> Thanks for taking the time to read my email.
> Danny Barron
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list