[sudo-users] Strange sudo with OpenLDAP problem
Guus Leeuw
guus.leeuw at itpassion.com
Wed Apr 9 18:40:09 EDT 2008
Hello,
I just downloaded (CVS-ed) the latest source of sudo, since I want to
integrate sudo with LDAP and so more or less disable the root user. I hear
that all works beautifully, so why not.
I configured with
$ ./configure --prefix=/usr --disable-root-sudo --enable-noargs-shell
--enable-shell-sets-home --disable-path-info --with-pam
--with-logging=syslog --with-logfac=local2 --with-ldap
--with-ldap-conf-file=/etc/ldap.conf
The basic concept behind the security here at ITPassion is that:
1) Every authc request goes to OpenLDAP (PAM, IMAPd, whatever) and
2) OpenLDAP then forwards that request to KerberosV
Hence the --with-pam and the --with-ldap in the configure options.
Anyways, after a quick upgrade to OpenLDAP 2.3.34-7, I can now
$ ldapsearch -x sudoUser=adm_leeuwg
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: sudoUser=adm_leeuwg
# requesting: ALL
#
# normal_admin, SUDOers, itpassion.com
dn: cn=normal_admin,ou=SUDOers,dc=itpassion,dc=com
objectClass: sudoRole
cn: normal_admin
sudoUser: adm_leeuwg
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: root
sudoOption: ignore_local_sudoers
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
*but*
Reading the manuals and docs, I should not have to have a /etc/sudoers
file, provided my OpenLDAP has
$ ldapsearch -x cn=defaults
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=defaults
# requesting: ALL
#
# defaults, SUDOers, itpassion.com
dn: cn=defaults,ou=SUDOers,dc=itpassion,dc=com
objectClass: sudoRole
cn: defaults
sudoOption: ignore_local_sudoers
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Right?
However when I
$ sudo
ldap_free_connection 1 0
ldap_free_connection: actually freed
sudo: can't stat /etc/sudoers: No such file or directory
sudo: no valid sudoers sources found, quitting
which sounds odd to me... almost as if sudo is not even trying to query
LDAP for cn=defaults, and indeed, if I increase the logging on slapd, I
see nothing that even remotely looks as if cn=defaults is being
searched...
And even I put a /etc/sudoers that says
Defaults ignore_local_sudoers
I get
$ sudo
ldap_free_connection 1 0
ldap_free_connection: actually freed
sudo: unknown defaults entry `local_ignore_sudoers'
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
adm_leeuwg is not in the sudoers file. This incident will be reported.
and the various logs (sudo.log and secure) read:
Apr 9 23:37:45 development sudo: adm_leeuwg : user NOT in sudoers ;
TTY=pts/2 ; PWD=/home/adm_leeuwg ; USER=root ; COMMAND=/bin/bash
and
Apr 9 23:37:45 development sudo: pam_unix(sudo:auth): authentication
failure; logname=adm_leeuwg uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=
user=adm_leeuwg
Any ideas?
More then happy to further debug this, if nobody has seen this...
Kindest Regards,
Guus Leeuw
More information about the sudo-users
mailing list