[sudo-users] LDAP sudoOptions and netgroups:
Patrick Spinler
spinler.patrick at mayo.edu
Sun Jun 8 16:34:54 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi:
I'm experimenting with sudo 1.6.9p16, specifically with keeping my
sudoers in LDAP.
I have the following setup:
$ ldapsearch -LLL -x -b dc=unix,dc=mayo,dc=edu objectclass=sudorole
dn: cn=\+sudo_unix_admin,ou=sudoers,dc=unix,dc=mayo,dc=edu
objectClass: top
objectClass: sudoRole
cn: +sudo_unix_admin
sudoUser: +sudo_unix_admin
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL
sudoOption: !authenticate
When I run "sudo -l" I get this:
LDAP Role: \2Bsudo_unix_admin
~ RunAs: (ALL)
~ Commands:
~ ALL
So, my question is, what happened to my sudoOption of "!authenticate" ?
with "sudoers_debug 2" in my ldap.conf, I get this:
$ /usr/local/bin/sudo -l
LDAP Config Summary
===================
host ldap-pr2.mayo.edu ldap-pr3.mayo.edu ldap-pr1.mayo.edu
port -1
ldap_version 3
sudoers_base ou=SUDOers,dc=unix,dc=mayo,dc=edu
binddn (anonymous)
bindpw (anonymous)
bind_timelimit 120000
timelimit 120
ssl start_tls
tls_checkpeer (no)
===================
sudo: ldap_init(ldap-pr2.mayo.edu ldap-pr3.mayo.edu ldap-pr1.mayo.edu, 389)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
sudo: ldap_start_tls_s() ok
sudo: ldap_simple_bind_s() ok
sudo: no default options found!
sudo: ldap search
'(|(sudoUser=ap00375)(sudoUser=%ap00375)(sudoUser=%persondb)(sudoUser=%acl_unix_admin)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: found:cn=\+sudo_unix_admin,ou=sudoers,dc=unix,dc=mayo,dc=edu
sudo: ldap sudoUser netgroup '+sudo_unix_admin' ... MATCH!
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: found:cn=\+sudo_tivoli_admin_ibmtm,ou=sudoers,dc=unix,dc=mayo,dc=edu
sudo: ldap sudoUser netgroup '+sudo_tivoli_admin' ... not
sudo: found:cn=\+sudo_tivoli_admin_root,ou=sudoers,dc=unix,dc=mayo,dc=edu
sudo: ldap sudoUser netgroup '+sudo_tivoli_admin' ... not
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(50)=0x02
LDAP Role: \2Bsudo_unix_admin
~ RunAs: (ALL)
~ Commands:
~ ALL
Notice that nowhere in this output does the DPRINTF contained in
ldap.c:sudo_ldap_parse_options() produce any output. It appears to not
be being called?
For completeness, here's the netgroup "sudo_unix_admin" I'm using:
~ $ ldapsearch -LLL -x cn=sudo_unix_admin
dn: cn=sudo_unix_admin,ou=Netgroup,dc=unix,dc=mayo,dc=edu
nisNetgroupTriple: (-,ap00036,)
nisNetgroupTriple: (-,m004385,)
nisNetgroupTriple: (-,m011076,)
nisNetgroupTriple: (-,m011998,)
nisNetgroupTriple: (-,m013336,)
nisNetgroupTriple: (-,m029086,)
nisNetgroupTriple: (-,m038117,)
nisNetgroupTriple: (-,m044454,)
nisNetgroupTriple: (-,m044709,)
nisNetgroupTriple: (-,mrf6110,)
nisNetgroupTriple: (-,mrh7159,)
nisNetgroupTriple: (-,mrm1026,)
nisNetgroupTriple: (-,ts00002,)
nisNetgroupTriple: (-,ts00086,)
nisNetgroupTriple: (-,ap00375,)
nisNetgroupTriple: (-,m034427,)
objectClass: nisNetGroup
objectClass: top
cn: sudo_unix_admin
description: Unix administrator sudo group
and my account info:
~ $ id
uid=219626(ap00375) gid=219626(ap00375)
groups=100001(persondb),150004(acl_unix_admin),219626(ap00375)
I'm doing this testing on a redhat enterprise linux 4.6
Thanks for any advice !
- -- Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFITEJuNObCqA8uBswRApJHAJ40GswI59QyPTSnoBegvGpK5T5oQwCfVtoo
TalBI3PounFM683EGsB7SMw=
=JLwh
-----END PGP SIGNATURE-----
More information about the sudo-users
mailing list