[sudo-users] LDAP sudoOptions and netgroups:

Patrick Spinler spinler.patrick at mayo.edu
Sun Jun 8 16:34:54 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi:

I'm experimenting with sudo 1.6.9p16, specifically with keeping my
sudoers in LDAP.

I have the following setup:

$ ldapsearch -LLL -x -b dc=unix,dc=mayo,dc=edu objectclass=sudorole
dn: cn=\+sudo_unix_admin,ou=sudoers,dc=unix,dc=mayo,dc=edu
objectClass: top
objectClass: sudoRole
cn: +sudo_unix_admin
sudoUser: +sudo_unix_admin
sudoHost: ALL
sudoRunAs: ALL
sudoCommand: ALL
sudoOption: !authenticate

When I run "sudo -l" I get this:

LDAP Role: \2Bsudo_unix_admin
~  RunAs: (ALL)
~  Commands:
~    ALL

So, my question is, what happened to my sudoOption of "!authenticate" ?

with "sudoers_debug 2" in my ldap.conf, I get this:

$ /usr/local/bin/sudo -l

LDAP Config Summary
===================
host         ldap-pr2.mayo.edu ldap-pr3.mayo.edu ldap-pr1.mayo.edu
port         -1
ldap_version 3
sudoers_base ou=SUDOers,dc=unix,dc=mayo,dc=edu
binddn       (anonymous)
bindpw       (anonymous)
bind_timelimit  120000
timelimit    120
ssl          start_tls
tls_checkpeer    (no)
===================
sudo: ldap_init(ldap-pr2.mayo.edu ldap-pr3.mayo.edu ldap-pr1.mayo.edu, 389)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)

sudo: ldap_start_tls_s() ok
sudo: ldap_simple_bind_s() ok
sudo: no default options found!
sudo: ldap search
'(|(sudoUser=ap00375)(sudoUser=%ap00375)(sudoUser=%persondb)(sudoUser=%acl_unix_admin)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: found:cn=\+sudo_unix_admin,ou=sudoers,dc=unix,dc=mayo,dc=edu
sudo: ldap sudoUser netgroup '+sudo_unix_admin' ... MATCH!
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: found:cn=\+sudo_tivoli_admin_ibmtm,ou=sudoers,dc=unix,dc=mayo,dc=edu
sudo: ldap sudoUser netgroup '+sudo_tivoli_admin' ... not
sudo: found:cn=\+sudo_tivoli_admin_root,ou=sudoers,dc=unix,dc=mayo,dc=edu
sudo: ldap sudoUser netgroup '+sudo_tivoli_admin' ... not
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(50)=0x02

LDAP Role: \2Bsudo_unix_admin
~  RunAs: (ALL)
~  Commands:
~    ALL


Notice that nowhere in this output does the DPRINTF contained in
ldap.c:sudo_ldap_parse_options() produce any output.  It appears to not
be being called?

For completeness, here's the netgroup "sudo_unix_admin" I'm using:

~ $ ldapsearch -LLL -x cn=sudo_unix_admin
dn: cn=sudo_unix_admin,ou=Netgroup,dc=unix,dc=mayo,dc=edu
nisNetgroupTriple: (-,ap00036,)
nisNetgroupTriple: (-,m004385,)
nisNetgroupTriple: (-,m011076,)
nisNetgroupTriple: (-,m011998,)
nisNetgroupTriple: (-,m013336,)
nisNetgroupTriple: (-,m029086,)
nisNetgroupTriple: (-,m038117,)
nisNetgroupTriple: (-,m044454,)
nisNetgroupTriple: (-,m044709,)
nisNetgroupTriple: (-,mrf6110,)
nisNetgroupTriple: (-,mrh7159,)
nisNetgroupTriple: (-,mrm1026,)
nisNetgroupTriple: (-,ts00002,)
nisNetgroupTriple: (-,ts00086,)
nisNetgroupTriple: (-,ap00375,)
nisNetgroupTriple: (-,m034427,)
objectClass: nisNetGroup
objectClass: top
cn: sudo_unix_admin
description: Unix administrator sudo group

and my account info:

~ $ id
uid=219626(ap00375) gid=219626(ap00375)
groups=100001(persondb),150004(acl_unix_admin),219626(ap00375)

I'm doing this testing on a redhat enterprise linux 4.6

Thanks for any advice !
- -- Pat


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFITEJuNObCqA8uBswRApJHAJ40GswI59QyPTSnoBegvGpK5T5oQwCfVtoo
TalBI3PounFM683EGsB7SMw=
=JLwh
-----END PGP SIGNATURE-----



More information about the sudo-users mailing list