[sudo-users] LDAPv Multiple sudoers_base lines do not work

Provost, Louis Louis.Provost at sensus.com
Mon Jan 13 14:23:00 MST 2014

Good day!

I am having issues getting sudo working with ldap only in the regard that I really need to have two search bases for sudo but it doesn’t seem to read both.
I am on an older version of sudo and am stuck with it because of various reasons, but I CANNOT upgrade the server is the main crux and this version of sudo is what is supported in this old version of red hat (5.10)

Sudo version:
[root at www ~]# rpm -qa |grep sudo

my search lines look like this

sudoers_base cn=worker-sudo,ou=worker,ou=access,ou=groups,dc=falchnet,dc=net
sudoers_base ou=SUDO,dc=falchnet,dc=net

I have tried joining the lines with a space delimiter, as well as leaving the lines separate.  No matter what I do I only get results from one base.  The base in the secondary position, or the one that is read last linearly is the one that is read from.  I know that all the ldap entries work and sudo works just fine on the ldap side when the right base is queried, I just cannot get it to look in one, fail and look in the other base.

Here are some results:

uri              ldap://ldap1.falchnet.net ldap://ldap2.falchnet.net
ldap_version     3
sudoers_base     ou=SUDO,dc=falchnet,dc=net
binddn           cn=LDAP Binder,ou=Special Accounts,dc=falchnet,dc=net
bindpw           <password hashed here>
timelimit        10
ssl              start_tls
tls_checkpeer    (no)
tls_cacertfile   /etc/pki/tls/certs/falchnet-ca-cacert.pem

If I reverse the order, then the other base shows.  Of course, I have users to test in both sudo buckets, but the one in the second bucket listed is the only one to work.
I have been searching forever and all I can find are references to multiple bases working in a man page, but no version information, no examples, no anything.

Any help would be absolutely greatly appreciated from this list.


More information about the sudo-users mailing list