[sudo-users] problems with sudo, ldap, and passwords

Michael W. Lucas mwlucas at blackhelicopters.org
Tue Mar 2 17:01:57 EST 2010


Hi,

I'm trying to make sudo talk to my ldap server.  Sudo is version
1.6.9.20, running on FreeBSD 9/i386, against an OpenLDAP 2.4 back end
on FreeBSD 8/i386.  Basic LDAP auth works, and I'm serving SSH keys
out of my LDAP server.

Sudo rejects the password for any user except root, however.  I've
verified the user's account and password with basic LDAP searches,
e.g.:

onvm2~;ldapsearch -ZWxD "uid=mwlucas,ou=people,dc=example,dc=com"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
<<<lots of stuff cut>>>

When I try even "sudo -l", however, that same password is repeatedly
rejected.

onvm2~;sudo -l
LDAP Config Summary
===================
host         ldap.example.com
port         -1
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=com
binddn       (anonymous)
bindpw       (anonymous)
bind_timelimit  30000
timelimit    30
ssl          start_tls
tls_cacertfile   /usr/local/etc/ssl/example.root.crt
===================
sudo: ldap_init(ldap.example.com, 389)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_cacertfile -> /usr/local/etc/ssl/example.root.crt
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)

sudo: ldap_start_tls_s() ok
sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=sudoers,dc=example,dc=com
sudo: ldap search '(|(sudoUser=mwlucas)(sudoUser=%mwlucas)(sudoUser=%sysadmins)(sudoUser=ALL))'
sudo: found:cn=%sysadmins,ou=sudoers,dc=example,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(50)=0x02
Password:
Speak English you fool --- there are no subtitles in this scene.
Password:
I have been called worse.
Password:
It's only your word against mine.
sudo: 3 incorrect password attempts

If I try "sudo -l" while logged in as root, though, sudo accepts my
password and gives me the expected config.

onvm2# sudo -l
LDAP Config Summary
===================
host         ldap.example.com
port         -1
ldap_version 3
sudoers_base ou=sudoers,dc=example,dc=com
binddn       (anonymous)
bindpw       (anonymous)
bind_timelimit  30000
timelimit    30
ssl          start_tls
tls_cacertfile   /usr/local/etc/ssl/example.root.crt
===================
sudo: ldap_init(ldap.example.com, 389)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_cacertfile -> /usr/local/etc/ssl/example.root.crt
sudo: ldap_set_option: timelimit -> 30
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30)

sudo: ldap_start_tls_s() ok
sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=sudoers,dc=example,dc=com
sudo: ldap search '(|(sudoUser=root)(sudoUser=%wheel)(sudoUser=%operator)(sudoUser=ALL))'
sudo: found:cn=root,ou=sudoers,dc=example,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(50)=0x02
User root may run the following commands on this host:

LDAP Role: root
  RunAs: (ALL)
  Commands:
    ALL

I've tried both with the default /usr/local/etc/pam.d/sudo, and the
following config based on a modified /etc/pam.d/system:

auth            required        pam_unix.so             no_warn try_first_pass nullok
auth            required        /usr/local/lib/pam_ldap.so      no_warn try_first_pass
account         required        /usr/local/lib/pam_ldap.so      ignore_unknown_user ignore_authinfo_unavail
account         required        pam_login_access.so
account         required        pam_unix.so
session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_lastlog.so          no_fail
password        required        pam_unix.so             no_warn try_first_pass

I'd also tried changing pam.d/system and pam.d/other, even though the
local pam.d/sudo should come first.

I'm clearly missing something.  Any suggestions, folks?

Thanks,
==ml

-- 
Michael W. Lucas 	mwlucas at BlackHelicopters.org
http://www.MichaelWLucas.com/
Latest book:  Cisco Routers for the Desperate, 2nd Edition
http://www.CiscoRoutersForTheDesperate.com/



More information about the sudo-users mailing list