[sudo-users] Sudo in LDAP appears to auth everything

Eric Freeman eric.freeman at tbwachiat.com
Fri Jul 10 13:38:25 EDT 2009

Below is the output from my sudo debug. I am 99% sure Idon¹t have the lastb
command in the LDAP container. I am not sure why this is being allowed. I am
not sure if this is a clue (sudoUser=ALL)) I don¹t have the LDAP use in the
local sudoers.

I am not sure why I am able to run sudo commands. I can also run sudo dmesg
and I know that is not in LDAP.

Any help would be appreciated.  Thanks
# sudo -V
Sudo version 1.7.0
 Running on HP-UX 11.11

[:/etc] sudo lastb
LDAP Config Summary
port             -1
ldap_version     3
sudoers_base     ou=SUDOers,ou=Services,o=nam
binddn           cn=xxxxxxxxxxxxxxx
bindpw           xxxxxxxxxxxxxxxxxx
bind_timelimit   30000
timelimit        30
ssl              (no)
sudo: ldap_create()
sudo: ldap_set_option(LDAP_OPT_HOST_NAME,
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)

sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,ou=Services,o=NAM
sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.log'
sudo: ldap sudoOption: 'log_year'
sudo: ldap search 
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x02
LDAP Password:

This e-mail is intended only for the named person or entity to which it is addressed and contains valuable 
business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure.

If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail 
is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at tbwachiat.com and 
please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation.

More information about the sudo-users mailing list