[sudo-users] Sudo in LDAP appears to auth everything
Eric Freeman
eric.freeman at tbwachiat.com
Fri Jul 10 13:38:25 EDT 2009
Below is the output from my sudo debug. I am 99% sure Idon¹t have the lastb
command in the LDAP container. I am not sure why this is being allowed. I am
not sure if this is a clue (sudoUser=ALL)) I don¹t have the LDAP use in the
local sudoers.
I am not sure why I am able to run sudo commands. I can also run sudo dmesg
and I know that is not in LDAP.
Any help would be appreciated. Thanks
# sudo -V
Sudo version 1.7.0
Running on HP-UX 11.11
[:/etc] sudo lastb
LDAP Config Summary
===================
host 10.20.2.165
port -1
ldap_version 3
sudoers_base ou=SUDOers,ou=Services,o=nam
binddn cn=xxxxxxxxxxxxxxx
bindpw xxxxxxxxxxxxxxxxxx
bind_timelimit 30000
timelimit 30
ssl (no)
===================
sudo: ldap_create()
sudo: ldap_set_option(LDAP_OPT_HOST_NAME, 10.20.2.165)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,ou=Services,o=NAM
sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.log'
sudo: ldap sudoOption: 'log_year'
sudo: ldap search
'(|(sudoUser=test_user)(sudoUser=%c)(sudoUser=%ZZ-C)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x02
LDAP Password:
This e-mail is intended only for the named person or entity to which it is addressed and contains valuable
business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure.
If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail
is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at tbwachiat.com and
please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation.
More information about the sudo-users
mailing list