[sudo-users] LDAP sudoHost does not match host netgroup

Julien PAWLAK julien at pwlk.fr
Tue Nov 10 07:41:13 MST 2015 

Hi,

My hosts file was not good.

I had it :
*cat /etc/hosts*
127.0.0.1    localhost dediflac-1
127.0.1.1    dediflac-1

=> not working

And I modified it like that :
*cat /etc/hosts*
127.0.0.1    localhost
127.0.1.1    dediflac-1

And now it's working very well

I hope this can help someone.

Bye

Le 10/11/2015 12:07, Julien PAWLAK a écrit :
> Hi all,
>
> I use LDAP and SUDO to manage hosts and users, and i have a problem 
> with sudoHost and netgroup.
>
> Here, you can see the entrie for users admin for example :
> *ldapsearch -x "(cn=admin)"*
> # extended LDIF
> #
> # LDAPv3
> # base <dc=pwlk,dc=fr> (default) with scope subtree
> # filter: (cn=admin)
> # requesting: ALL
> #
>
> # admin, people, netgroup, pwlk.fr
> dn: cn=admin,ou=people,ou=netgroup,dc=pwlk,dc=fr
> objectClass: nisNetgroup
> objectClass: top
> cn: admin
> nisNetgroupTriple: (,flac,)
>
> Entrie for hosts :
> *ldapsearch -x "(cn=dc1)"*
> # extended LDIF
> #
> # LDAPv3
> # base <dc=pwlk,dc=fr> (default) with scope subtree
> # filter: (cn=dc1)
> # requesting: ALL
> #
>
> # dc1, hosts, netgroup, pwlk.fr
> dn: cn=dc1,ou=hosts,ou=netgroup,dc=pwlk,dc=fr
> objectClass: nisNetgroup
> objectClass: top
> cn: dc1
> nisNetgroupTriple: (dediflac-1,,)
>
> Entrie for sudo :
> *ldapsearch -x "(cn=sudo_dc1)"*
> # extended LDIF
> #
> # LDAPv3
> # base <dc=pwlk,dc=fr> (default) with scope subtree
> # filter: (cn=sudo_dc1)
> # requesting: ALL
> #
>
> # sudo_dc1, admin, sudo, pwlk.fr
> dn: cn=sudo_dc1,ou=admin,ou=sudo,dc=pwlk,dc=fr
> objectClass: sudoRole
> objectClass: top
> sudoRunAs: ALL
> sudoCommand: ALL
> sudoUser: +admin
> sudoHost: +dc1
> cn: sudo_dc1
>
> Result of hostname command :
> *hostname*
> dediflac-1
>
> Result of whoami command
> *whoami*
> flac
>
> And when i execute command on host dediflac-1 with user flac with sudo 
> debug, i got this return :
> *flac at dediflac-1:~$ sudo ls *
> LDAP Config Summary
> ===================
> uri              ldap://123.123.123.123
> ldap_version     3
> sudoers_base     ou=sudo,dc=pwlk,dc=fr
> binddn           cn=admin,dc=pwlk,dc=fr
> bindpw           XXXXXXX
> ssl              (no)
> ===================
> sudo: ldap_initialize(ld, ldap://123.123.123.123)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_sasl_bind_s() ok
> sudo: found:cn=defaults,ou=sudo,dc=pwlk,dc=fr
> sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
> sudo: ldap search 
> '(|(sudoUser=flac)(sudoUser=%readonly)(sudoUser=%admin)(sudoUser=ALL))'
> sudo: found:cn=sudo_dc1,ou=admin,ou=sudo,dc=pwlk,dc=fr
> sudo: ldap sudoUser netgroup '+admin' ... MATCH!
> *sudo: ldap sudoHost '+dc1' ... not*
> sudo: user_matches=1
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(0)=0x40
>
> Host is not match...
>
> Do you have any idea for my problem ?
>
> Thanks
>
> Julien
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list