[sudo-users] sudo-ldap works with !authenticate only

Olivia Nelson the.warl0ck.1989 at gmail.com
Mon Sep 9 03:18:16 MDT 2019

I'm trying to setup sudo-ldap in a clean CentOS 7 docker environment.
I've successfully setup sssd and PAM authentication, and it works.

However, sudo-ldap works only if !authenticate is set:

# LDIF file

dn: cn=test,ou=SUDOers,ou=People,dc=srv,dc=world
objectClass: top
objectClass: sudoRole
cn: test
sudoUser: test
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoCommand: !/bin/cp
sudoOption: !authenticate

# result of sudo cp:

sudo: searching LDAP for sudoers entries
sudo: ldap sudoRunAsUser 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: LDAP entry: 0x564d56cb9960
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=true
sudo: sudo_ldap_lookup(0)=0x02
sudo: removing reusable search result
cp: missing file operand
Try 'cp --help' for more information.

If I remove `sudoOption: !authenticate`, it prompts me for password,
but it's always wrong:

sudo: pam_sss(sudo:auth): authentication failure; logname= uid=2000
euid=0 tty=/dev/console ruser=test rhost= user=test

I got the above line even before I type the password, but I can use
the same password to login via SSH, so it's a sudo issue.

What do you think?

More information about the sudo-users mailing list