[sudo-users] LDAP sudoHost does not match host netgroup

Julien PAWLAK julien at pwlk.fr
Tue Nov 10 04:07:10 MST 2015 

Hi all,

I use LDAP and SUDO to manage hosts and users, and i have a problem with 
sudoHost and netgroup.

Here, you can see the entrie for users admin for example :
*ldapsearch -x "(cn=admin)"*
# extended LDIF
#
# LDAPv3
# base <dc=pwlk,dc=fr> (default) with scope subtree
# filter: (cn=admin)
# requesting: ALL
#

# admin, people, netgroup, pwlk.fr
dn: cn=admin,ou=people,ou=netgroup,dc=pwlk,dc=fr
objectClass: nisNetgroup
objectClass: top
cn: admin
nisNetgroupTriple: (,flac,)

Entrie for hosts :
*ldapsearch -x "(cn=dc1)"*
# extended LDIF
#
# LDAPv3
# base <dc=pwlk,dc=fr> (default) with scope subtree
# filter: (cn=dc1)
# requesting: ALL
#

# dc1, hosts, netgroup, pwlk.fr
dn: cn=dc1,ou=hosts,ou=netgroup,dc=pwlk,dc=fr
objectClass: nisNetgroup
objectClass: top
cn: dc1
nisNetgroupTriple: (dediflac-1,,)

Entrie for sudo :
*ldapsearch -x "(cn=sudo_dc1)"*
# extended LDIF
#
# LDAPv3
# base <dc=pwlk,dc=fr> (default) with scope subtree
# filter: (cn=sudo_dc1)
# requesting: ALL
#

# sudo_dc1, admin, sudo, pwlk.fr
dn: cn=sudo_dc1,ou=admin,ou=sudo,dc=pwlk,dc=fr
objectClass: sudoRole
objectClass: top
sudoRunAs: ALL
sudoCommand: ALL
sudoUser: +admin
sudoHost: +dc1
cn: sudo_dc1

Result of hostname command :
*hostname*
dediflac-1

Result of whoami command
*whoami*
flac

And when i execute command on host dediflac-1 with user flac with sudo 
debug, i got this return :
*flac at dediflac-1:~$ sudo ls *
LDAP Config Summary
===================
uri              ldap://123.123.123.123
ldap_version     3
sudoers_base     ou=sudo,dc=pwlk,dc=fr
binddn           cn=admin,dc=pwlk,dc=fr
bindpw           XXXXXXX
ssl              (no)
===================
sudo: ldap_initialize(ld, ldap://123.123.123.123)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=sudo,dc=pwlk,dc=fr
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap search 
'(|(sudoUser=flac)(sudoUser=%readonly)(sudoUser=%admin)(sudoUser=ALL))'
sudo: found:cn=sudo_dc1,ou=admin,ou=sudo,dc=pwlk,dc=fr
sudo: ldap sudoUser netgroup '+admin' ... MATCH!
*sudo: ldap sudoHost '+dc1' ... not*
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x40

Host is not match...

Do you have any idea for my problem ?

Thanks

Julien

More information about the sudo-users mailing list