[sudo-users] sudo and LDAP
Eric Frost
eric at ericfrost.org
Sun Jul 27 19:16:42 MDT 2014
I'm not quite sure where I have gone off the rails but no matter how
much I've checked and double checked I can't get this to work.
This is the schema I added (which looks off due to line breaks):
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC
'User(s)
who may run sudo' EQUALITY caseExactIA5Match SUBSTR
caseExactIA5SubstringsMa
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC
'Host(s)
who may run sudo' EQUALITY caseExactIA5Match SUBSTR
caseExactIA5SubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC
'Comma
nd(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1
466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC
'User(s)
impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1
.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC
'Option
s(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115
.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser'
DESC 'Use
r(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466
.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup'
DESC 'Gr
oup(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.14
66.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore'
DESC 'Sta
rt of time interval for which the entry is valid' EQUALITY
generalizedTimeMat
ch ORDERING generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24
)
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC
'End
of time interval for which the entry is valid' EQUALITY
generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC
'an int
eger to order the sudoRole entries' EQUALITY integerMatch ORDERING
integerOrd
eringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC
'Sudoer En
tries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $
sudoCommand $ s
udoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $
sudoNotB
efore $ sudoNotAfter $ description ) )
This is the resulting ldif from the sudoers2ldif perl script:
dn: cn=defaults,ou=sudoers,dc=test,dc=lan
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_reset
sudoOption:
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
sudoOrder: 1
dn: cn=root,ou=sudoers,dc=test,dc=lan
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 2
dn: cn=%admin,ou=sudoers,dc=test,dc=lan
objectClass: top
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 3
dn: cn=%domainadmins,ou=sudoers,dc=test,dc=lan
objectClass: top
objectClass: sudoRole
cn: %domainadmins
sudoUser: %domainadmins
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOrder: 4
dn: cn=%sudo,ou=sudoers,dc=test,dc=lan
objectClass: top
objectClass: sudoRole
cn: %sudo
sudoUser: %sudo
sudoHost: ALL
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoCommand: ALL
sudoOrder: 5
I did add the following before adding the above ldif:
dn: ou=sudoers,dc=test,dc=lan
objectClass: top
objectClass: organizationalUnit
All of the above went smoothly on the ldap server. However it's when I
get to the client(s) that chaos ensues. I've put the SUDOERS_BASE in
/etc/ldap.conf I've made sure /etc/nsswitch has sudoers: ldap in it.
I've finally had to enable SUDOERS_DEBUG 2 and it pretty much sums up my
suspicions that the searches are failing to find, well, anything. I've
checked and rechecked, tried deleting everything and starting over...I
keep running into this problem.
This is what occurs on the client:
root at dhcp-192-168-0-106:~# sudo -l
LDAP Config Summary
===================
uri ldap://server1.test.lan ldap://server2.test.lan
ldap_version 3
sudoers_base ou=sudoers,dc=test,dc=lan
binddn (anonymous)
bindpw (anonymous)
ssl (no)
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
===================
sudo: ldap_initialize(ld, ldap://server1.test.lan ldap://server2.test.lan)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/certs/ca-certificates.crt
sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/ca-certificates.crt
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in ou=sudoers,dc=test,dc=lan
sudo: ldap search '(|(sudoUser=root)(sudoUser=%root)(sudoUser=ALL))'
sudo: searching from base 'ou=sudoers,dc=test,dc=lan'
sudo: nothing found for '(|(sudoUser=root)(sudoUser=%root)(sudoUser=ALL))'
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=sudoers,dc=test,dc=lan'
sudo: nothing found for '(sudoUser=+*)'
sudo: sorting remaining 0 entries
sudo: perform search for pwflag 52
sudo: done with LDAP searches
sudo: user_matches=0
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0x62
sudo: ldap search for command list
sudo: reusing previous result (user root) with 0 entries
User root is not allowed to run sudo on dhcp-192-168-0-106.
sudo: removing reusable search result
root at dhcp-192-168-0-106:~#
Any hints/tips/suggestions?
Thanks,
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: </pipermail/sudo-users/attachments/20140727/6796f837/attachment.bin>
More information about the sudo-users
mailing list