[sudo-users] groups don't work when using sasl

Han Boetes hboetes at gmail.com
Mon Dec 17 05:10:59 EST 2012 

Hi,

I just enabled SASL enforcement for access to the ldap tree. Before I had
it enable using a group worked fine, after that using a group does not.
Creating a recepe for a still works fine though. What am I missing?

I use this sudo-ldap.conf:

[root at auth ~]# stripcom /etc/sudo-ldap.conf
URI ldap://auth.hb-data.at
SUDOERS_BASE ou=SUDOers,dc=hb-data,dc=at
SUDOERS_DEBUG 2
SSL start_tls
TLS_CACERTDIR /etc/openldap/certs
SASL_MECH GSSAPI
USE_SASL on
ROOTUSE_SASL on
KRB5_CCNAME /var/run/nslcd/nslcd.tkt


10 cn=%hb-admins,ou=SUDOers,dc=hb-data,dc=at
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
cn: %hb-admins
sudoUser: %hb-admins
sudoOption: !authenticate


And the output is:

[hb at auth ~]$ sudo -l
LDAP Config Summary
===================
uri              ldap://auth.hb-data.at
ldap_version     3
sudoers_base     ou=SUDOers,dc=hb-data,dc=at
binddn           (anonymous)
bindpw           (anonymous)
ssl              start_tls
tls_cacertdir    /etc/openldap/certs
use_sasl         yes
sasl_auth_id     (NONE)
rootuse_sasl     1
rootsasl_auth_id (NONE)
sasl_secprops    (NONE)
krb5_ccname      /var/run/nslcd/nslcd.tkt
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/certs
sudo: ldap_initialize(ld, ldap://auth.hb-data.at)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_interactive_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: found:cn=defaults,ou=SUDOers,dc=hb-data,dc=at
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap search
'(|(sudoUser=hb)(sudoUser=%hb-data)(sudoUser=%#10000)(sudoUser=%hb-admins)(sudoUser=%#10001)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=hb-data,dc=at'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=hb-data,dc=at'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x42




-- 



# Han

More information about the sudo-users mailing list