[sudo-users] LDAPv Multiple sudoers_base lines do not work

Provost, Louis Louis.Provost at sensus.com
Mon Jan 13 15:38:03 MST 2014 

I was able to make it work by manually upgrading sudo.  I really want to be able to make it work with the stock version however.  

If it is possible to do that I would like to know how.  

Thanks again!   Sorry I just forgot to include that info

Louie

On Jan 13, 2014, at 3:34 PM, "Provost, Louis" <Louis.Provost at sensus.com> wrote:

> 
> Good day!
> 
> I am having issues getting sudo working with ldap only in the regard that I really need to have two search bases for sudo but it doesn’t seem to read both.
> I am on an older version of sudo and am stuck with it because of various reasons, but I CANNOT upgrade the server is the main crux and this version of sudo is what is supported in this old version of red hat (5.10)
> 
> Sudo version:
> [root at www ~]# rpm -qa |grep sudo
> sudo-1.7.2p1-28.el5
> 
> my search lines look like this
> 
> sudoers_base cn=worker-sudo,ou=worker,ou=access,ou=groups,dc=falchnet,dc=net
> sudoers_base ou=SUDO,dc=falchnet,dc=net
> 
> I have tried joining the lines with a space delimiter, as well as leaving the lines separate.  No matter what I do I only get results from one base.  The base in the secondary position, or the one that is read last linearly is the one that is read from.  I know that all the ldap entries work and sudo works just fine on the ldap side when the right base is queried, I just cannot get it to look in one, fail and look in the other base.
> 
> Here are some results:
> 
> ===================
> uri              ldap://ldap1.falchnet.net ldap://ldap2.falchnet.net
> ldap_version     3
> sudoers_base     ou=SUDO,dc=falchnet,dc=net
> binddn           cn=LDAP Binder,ou=Special Accounts,dc=falchnet,dc=net
> bindpw           <password hashed here>
> timelimit        10
> ssl              start_tls
> tls_checkpeer    (no)
> tls_cacertfile   /etc/pki/tls/certs/falchnet-ca-cacert.pem
> 
> If I reverse the order, then the other base shows.  Of course, I have users to test in both sudo buckets, but the one in the second bucket listed is the only one to work.
> I have been searching forever and all I can find are references to multiple bases working in a man page, but no version information, no examples, no anything.
> 
> Any help would be absolutely greatly appreciated from this list.
> 
> Thanks!
> Louie
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list