[sudo-users] LDAPv Multiple sudoers_base lines do not work
Provost, Louis
Louis.Provost at sensus.com
Mon Jan 13 14:23:00 MST 2014
Good day!
I am having issues getting sudo working with ldap only in the regard that I really need to have two search bases for sudo but it doesn’t seem to read both.
I am on an older version of sudo and am stuck with it because of various reasons, but I CANNOT upgrade the server is the main crux and this version of sudo is what is supported in this old version of red hat (5.10)
Sudo version:
[root at www ~]# rpm -qa |grep sudo
sudo-1.7.2p1-28.el5
my search lines look like this
sudoers_base cn=worker-sudo,ou=worker,ou=access,ou=groups,dc=falchnet,dc=net
sudoers_base ou=SUDO,dc=falchnet,dc=net
I have tried joining the lines with a space delimiter, as well as leaving the lines separate. No matter what I do I only get results from one base. The base in the secondary position, or the one that is read last linearly is the one that is read from. I know that all the ldap entries work and sudo works just fine on the ldap side when the right base is queried, I just cannot get it to look in one, fail and look in the other base.
Here are some results:
===================
uri ldap://ldap1.falchnet.net ldap://ldap2.falchnet.net
ldap_version 3
sudoers_base ou=SUDO,dc=falchnet,dc=net
binddn cn=LDAP Binder,ou=Special Accounts,dc=falchnet,dc=net
bindpw <password hashed here>
timelimit 10
ssl start_tls
tls_checkpeer (no)
tls_cacertfile /etc/pki/tls/certs/falchnet-ca-cacert.pem
If I reverse the order, then the other base shows. Of course, I have users to test in both sudo buckets, but the one in the second bucket listed is the only one to work.
I have been searching forever and all I can find are references to multiple bases working in a man page, but no version information, no examples, no anything.
Any help would be absolutely greatly appreciated from this list.
Thanks!
Louie
More information about the sudo-users
mailing list