[sudo-users] nss_base_group not working

Sudoer sudo at toltec.com
Sat May 3 19:50:16 MDT 2014


Hello,

I have a problem where sudo 1.7 using ldap.conf works, but sudo 1.8 
using the same setup doesn't.  The ldap search strings aren't the same, 
but haven't been able to find the correct directive to fix it.

Does anyone know the correct setup?

Thanks.



/etc/ldap.conf
nss_base_passwd ou=people,dc=company,dc=net?sub?objectclass=posixAccount
nss_base_group  ou=neteng,dc=company,dc=net?sub?objectclass=posixGroup
nss_base_group  ou=support,dc=company,dc=net?sub?objectclass=posixGroup
nss_base_group  ou=groups,dc=company,dc=net?sub?objectclass=posixGroup
nss_base_group ou=engineering,dc=company,dc=net?sub?objectclass=posixGroup



In ldap:
cn=support3,ou=sudoers,dc=company,dc=net
sudoHost +cpe

cn=support3,ou=groups,ou=support,dc=company,dc=net
memberUID = user



With sudo version sudo-1.7.2p1-9.el5_5
Sudo output debug:
sudo: ldap search 
'(|(sudoUser=user)(sudoUser=%user)(sudoUser=%eng3)(sudoUser=%neteng3)(sudoUser=%support3)(sudoUser=ALL))'
sudo: found:cn=support3,ou=sudoers,dc=company,dc=net
sudo: ldap sudoHost '+cpe' ... MATCH!
sudo: ldap sudoRunAsUser 'root' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1


With sudo version sudo-1.8.10-3.el6.x86_64
sudo debug output:
sudo: ldap search 
'(&(objectClass=sudoRole)(|(sudoUser=user)(sudoUser=%user)(sudoUser=%#10001)(sudoUser=ALL)))'
sudo: searching from base 'ou=sudoers,dc=company,dc=net'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
sudo: searching from base 'ou=sudoers,dc=company,dc=net'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: searching LDAP for sudoers entries
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0




More information about the sudo-users mailing list