[sudo-users] listpw/verifypw issues with sssd and ldap
mfischer at zendesk.com
Thu Apr 7 18:02:16 MDT 2016
It appears there's a bug in sudo (at least as of 1.8.9p5) that prevents
listpw and verifypw from working as expected in LDAP environments:
Here are the conditions:
- /etc/nsswitch.conf has "sudoers: files sss" or "sudoers: files ldap"
- the listpw and verifypw options are left at defaults (listpw: any,
- user bob's sudoers rules are as follows:
in LDAP (translated for readability):
Expected outcome: "sudo -v" prompts for a password
Actual outcome: "sudo -v" does not prompt for a password
However, If I add the following line to /etc/sudoers:
Then, "sudo -v" will prompt for a password.
The evidence suggests to me that rules stored in LDAP are not being
evaluated for the purpose of determining whether "All the user's sudoers
entries for the current host  have the NOPASSWD flag set."
More information about the sudo-users