[sudo-users] Strange sudo with OpenLDAP problem

Guus Leeuw guus.leeuw at itpassion.com
Thu Apr 10 00:35:11 EDT 2008


Hello,

Found the culprit, didn't have the nsswitch.conf sudoers: ldap line.

Sorry for the trouble.

Guus

On Wed, April 9, 2008 11:40 pm, Guus Leeuw wrote:
> Hello,
>
>
> I just downloaded (CVS-ed) the latest source of sudo, since I want to
> integrate sudo with LDAP and so more or less disable the root user. I hear
>  that all works beautifully, so why not.
>
> I configured with
> $ ./configure --prefix=/usr --disable-root-sudo --enable-noargs-shell
> --enable-shell-sets-home --disable-path-info --with-pam
> --with-logging=syslog --with-logfac=local2 --with-ldap
> --with-ldap-conf-file=/etc/ldap.conf
>
>
> The basic concept behind the security here at ITPassion is that:
> 1) Every authc request goes to OpenLDAP (PAM, IMAPd, whatever) and
> 2) OpenLDAP then forwards that request to KerberosV
>
>
> Hence the --with-pam and the --with-ldap in the configure options.
>
>
> Anyways, after a quick upgrade to OpenLDAP 2.3.34-7, I can now
> $ ldapsearch -x sudoUser=adm_leeuwg
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter: sudoUser=adm_leeuwg
> # requesting: ALL
> #
>
>
> # normal_admin, SUDOers, itpassion.com
> dn: cn=normal_admin,ou=SUDOers,dc=itpassion,dc=com
> objectClass: sudoRole
> cn: normal_admin
> sudoUser: adm_leeuwg
> sudoHost: ALL
> sudoCommand: ALL
> sudoRunAsUser: root
> sudoOption: ignore_local_sudoers
>
>
> # search result
> search: 2
> result: 0 Success
>
>
> # numResponses: 2
> # numEntries: 1
>
>
> *but*
>
>
> Reading the manuals and docs, I should not have to have a /etc/sudoers
> file, provided my OpenLDAP has $ ldapsearch -x cn=defaults
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter: cn=defaults
> # requesting: ALL
> #
>
>
> # defaults, SUDOers, itpassion.com
> dn: cn=defaults,ou=SUDOers,dc=itpassion,dc=com
> objectClass: sudoRole
> cn: defaults
> sudoOption: ignore_local_sudoers
>
>
> # search result
> search: 2
> result: 0 Success
>
>
> # numResponses: 2
> # numEntries: 1
>
>
> Right?
>
>
> However when I
> $ sudo
> ldap_free_connection 1 0 ldap_free_connection: actually freed
> sudo: can't stat /etc/sudoers: No such file or directory
> sudo: no valid sudoers sources found, quitting
>
>
> which sounds odd to me... almost as if sudo is not even trying to query
> LDAP for cn=defaults, and indeed, if I increase the logging on slapd, I
> see nothing that even remotely looks as if cn=defaults is being searched...
>
>
> And even I put a /etc/sudoers that says
> Defaults ignore_local_sudoers
> I get
> $ sudo
> ldap_free_connection 1 0 ldap_free_connection: actually freed
> sudo: unknown defaults entry `local_ignore_sudoers'
>
>
> We trust you have received the usual lecture from the local System
> Administrator. It usually boils down to these three things:
>
>
> #1) Respect the privacy of others.
> #2) Think before you type.
> #3) With great power comes great responsibility.
>
>
> Password:
> adm_leeuwg is not in the sudoers file.  This incident will be reported.
>
> and the various logs (sudo.log and secure) read: Apr  9 23:37:45
> development sudo: adm_leeuwg : user NOT in sudoers ; TTY=pts/2 ;
> PWD=/home/adm_leeuwg ; USER=root ; COMMAND=/bin/bash
>
>
> and Apr  9 23:37:45 development sudo: pam_unix(sudo:auth): authentication
> failure; logname=adm_leeuwg uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=
> user=adm_leeuwg
>
>
>
> Any ideas?
>
>
> More then happy to further debug this, if nobody has seen this...
>
>
>
> Kindest Regards,
> Guus Leeuw
>
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, options,
> or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>


Kindest Regards,
Guus Leeuw





More information about the sudo-users mailing list