[sudo-users] listpw/verifypw issues with sssd and ldap

Michael Fischer mfischer at zendesk.com
Thu Apr 7 18:02:16 MDT 2016

It appears there's a bug in sudo (at least as of 1.8.9p5) that prevents
listpw and verifypw from working as expected in LDAP environments:

Here are the conditions:

- /etc/nsswitch.conf has "sudoers: files sss" or "sudoers: files ldap"
- the listpw and verifypw options are left at defaults (listpw: any,
verifypw: all)
- user bob's sudoers rules are as follows:

in /etc/sudoers:

bob ALL=NOPASSWD:/some/command

in LDAP (translated for readability):

bob ALL=/some/other/command

Expected outcome: "sudo -v" prompts for a password
Actual outcome: "sudo -v" does not prompt for a password

However, If I add the following line to /etc/sudoers:

bob ALL=/yet/another/command

Then, "sudo -v" will prompt for a password.

The evidence suggests to me that rules stored in LDAP are not being
evaluated for the purpose of determining whether "All the user's sudoers
entries for the current host [] have the NOPASSWD flag set."



More information about the sudo-users mailing list