[sudo-users] Active Directory Schema incomplete? (and SUDOERS_TIMED attributes not working)

David.HICKS at rbs.com David.HICKS at rbs.com
Fri Jul 27 11:26:46 EDT 2012 

I am experiencing a couple of problems when attempting to load schema.ActiveDirectory into my 2003R2 SP2 Active Directory domain :

1. "The attribute schema has bad syntax" errors from sudoNotBefore, sudoNotAfter and sudoOrder objects, and I believe this is because the attributeSyntax (and associated oMSyntax) values are invalid for Active Directory. This page (http://technet.microsoft.com/en-us/library/cc961740.aspx) lists the valid attributeSyntax / oMSyntax combinations, and it is clear that the RFC4517 specifiers are not amongst them. Since the other schema objects have apparently already had their attributeSyntax values translated to their MS equivalents I suspect this is just something that got overlooked when the new attributes were added back in Jan 2011. My best guess at what they should look like is :

sudoNotBefore - attributeSyntax: 2.5.5.11 / oMSyntax: 24
sudoNotAfter - attributeSyntax: 2.5.5.11 / oMSyntax: 24
sudoOrder - attributeSyntax: 2.5.5.9 / oMSyntax: 2

2. Duplicate schemaIDGUID errors on the same 3 objects, which is unsurprising since all three have the same value as was used for sudoRunAsGroup.


Having made the syntax changes I suggest above locally, and after generating some random schemaIDGUID values, I did manage to load the schema objects and get everything working more or less as the documentation suggests it should (so I am confident that my sudoOrder fix is good), apart from the timed attributes, which appear to cause the rule to fail regardless of the time value specified. For example :

$ ldapsearch ..... "(sudoUser=jonesn)"

dn: CN=jonesn.1,OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net
objectClass: top
objectClass: sudoRole
cn: jonesn.1
distinguishedName: CN=jonesn.1,OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net
instanceType: 4
whenCreated: 20120727121554.0Z
whenChanged: 20120727130725.0Z
uSNCreated: 4747343
uSNChanged: 4747383
name: jonesn.1
objectGUID:: 9YXynVQ5Q0mRD7IFlSoBdw==
objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=fmtest,DC=net
sudoNotAfter: 20120728131554.0Z
sudoUser: jonesn
sudoHost: ALL
sudoCommand: /bin/ls
sudoRunAsUser: ALL

...so jonesn should be able to run /bin/ls on all hosts as root as long as the time is before 13:15:54 on 28th Jul 2012, but....

$ whoami
jonesn
$ date
Fri Jul 27 15:57:53 BST 2012
$ sudo -l
User jonesn is not allowed to run sudo on lonrs05996.
$ sudo -V
Sudo version 1.8.5p2
Sudoers policy plugin version 1.8.5p2
Sudoers file grammar version 41
Sudoers I/O plugin version 1.8.5p2

...here is some debug in case anyone is interested :

sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: found:CN=defaults,OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net
sudo: ldap search '(&(|(sudoUser=jonesn)(sudoUser=%admusers)(sudoUser=%#1000)(sudoUser=%empty1)(sudoUser=%vrtsadm)(sudoUser=%ctxadm)(sudoUser=%lmadmin)(sudoUser=%alex)(sudoUser=%#1001)(sudoUser=%#8002)(sudoUser=%#8003)(sudoUser=%#8139)(sudoUser=%#8230)(sudoUser=ALL))(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20120727145736Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20120727145736Z))))'
sudo: searching from base 'OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net'
sudo: nothing found for '(&(|(sudoUser=jonesn)(sudoUser=%admusers)(sudoUser=%#1000)(sudoUser=%empty1)(sudoUser=%vrtsadm)(sudoUser=%ctxadm)(sudoUser=%lmadmin)(sudoUser=%alex)(sudoUser=%#1001)(sudoUser=%#8002)(sudoUser=%#8003)(sudoUser=%#8139)(sudoUser=%#8230)(sudoUser=ALL))(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20120727145736Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20120727145736Z))))'
sudo: ldap search '(&(sudoUser=+*)(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20120727145736Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20120727145736Z))))'
sudo: searching from base 'OU=SUDOers,OU=Legacy Infrastructure,DC=fmtest,DC=net'
sudo: nothing found for '(&(sudoUser=+*)(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20120727145736Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20120727145736Z))))'
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x62
sudo: ldap search for command list
sudo: reusing previous result (user jonesn) with 0 entries
User jonesn is not allowed to run sudo on lonrs05996.
sudo: removing reusable search result

Any assistance gratefully received. Thanks


David Hicks



*********************************************************************************** 
The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The 
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 350, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions. 
  
This e-mail message is confidential and for use by the addressee only. 
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. For the protection
of RBS group and its clients and customers, and in compliance with
regulatory requirements, the contents of both incoming and outgoing
e-mail communications, which could include proprietary information and
Non-Public Personal Information, may be read by authorised persons
within RBS group other than the intended recipient(s). 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward 
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com 

***********************************************************************************

More information about the sudo-users mailing list