[sudo-users] Sudo Integration with AD Issue - Sudo Debug Suggest it performs an LDAP Query but Doesn't

Ian Funk ian.funk at disney.com
Tue Oct 9 17:04:45 EDT 2012 

I'm working on a project to integrate Sudo with Active Directory and have run 
into a brick wall.  When using a Linux local user, sudo queries the Sudoers 
container in Active Directory, finds the role and the result is a match.

Success:

[bobo at tn7sudoauth01 ~]$ sudo /usr/bin/id

sudo: ldap_sasl_bind_s() ok
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search '(|(sudoUser=bobo)(sudoUser=%bobo)(sudoUser=ALL))'
sudo: found:CN=bobo,OU=Sudoers,DC=example,DC=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand '/usr/bin/id' ... MATCH!

While using an Active Directory User sudo claims that it's doing the following 
search:

sudo: ldap search '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'

But tcpdump and a packet capture on the Domain Controller show that this LDAP 
query is never being sent.  The following two queries are being sent and 
processed but not the one above.

sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search 'sudoUser=+*'

Why is sudo sending the sudoUser query for a local but not Domain User?  I'm 
looking for a solution because it's a requirement that we use Active Directory 
users and this is currently blocking us.

Failure:

[EXAMPLE\ifunktest at tn7sudoauth01 ~]$ sudo /usr/sbin/id
LDAP Config Summary
===================
uri              ldap://windowsdc01.example.com
ldap_version     3
sudoers_base     ou=Sudoers,dc=example,dc=com
binddn           cn=_sudobind,ou=service_accounts,dc=example,dc=com
bindpw           password
bind_timelimit   120000
timelimit        120
ssl              off
===================
sudo: ldap_initialize(ld, ldap://windowsdc01.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)

sudo: ldap_sasl_bind_s() ok
sudo: found:CN=defaults,OU=Sudoers,DC=example,DC=com
sudo: ldap search '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: nothing found for '(|(sudoUser=EXAMPLE\ifunktest)(sudoUser=%
EXAMPLE\Domain^users)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x60
[sudo] password for EXAMPLE\ifunktest:

Running the same LDAP query via ldapsearch from the host and LDP on the Domain 
Controller yield the expected results.  I've changed the Domain and server 
names in here for obvious reasons.  

Thanks in Advance, Ian

More information about the sudo-users mailing list