[sudo-users] sudo-ldap works with !authenticate only

Olivia Nelson the.warl0ck.1989 at gmail.com
Mon Sep 9 03:20:04 MDT 2019 

I forget to attach these logs:

# Without !authenticate:

sudo: searching LDAP for sudoers entries
sudo: ldap sudoRunAsUser 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: ldap sudoCommand '!/bin/cp' ... MATCH!
sudo: Command allowed
sudo: LDAP entry: 0x5604a5543930
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=true
sudo: sudo_ldap_lookup(0)=0x02

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for test:
Sorry, try again

On Mon, Sep 9, 2019 at 5:18 PM Olivia Nelson <the.warl0ck.1989 at gmail.com> wrote:
>
> I'm trying to setup sudo-ldap in a clean CentOS 7 docker environment.
> I've successfully setup sssd and PAM authentication, and it works.
>
> However, sudo-ldap works only if !authenticate is set:
>
> ---------------
> # LDIF file
>
> dn: cn=test,ou=SUDOers,ou=People,dc=srv,dc=world
> objectClass: top
> objectClass: sudoRole
> cn: test
> sudoUser: test
> sudoHost: ALL
> sudoRunAsUser: ALL
> sudoCommand: ALL
> sudoCommand: !/bin/cp
> sudoOption: !authenticate
>
> # result of sudo cp:
>
> sudo: searching LDAP for sudoers entries
> sudo: ldap sudoRunAsUser 'ALL' ... MATCH!
> sudo: ldap sudoCommand 'ALL' ... MATCH!
> sudo: Command allowed
> sudo: LDAP entry: 0x564d56cb9960
> sudo: done with LDAP searches
> sudo: user_matches=true
> sudo: host_matches=true
> sudo: sudo_ldap_lookup(0)=0x02
> sudo: removing reusable search result
> cp: missing file operand
> Try 'cp --help' for more information.
> ---------------
>
> If I remove `sudoOption: !authenticate`, it prompts me for password,
> but it's always wrong:
>
> sudo: pam_sss(sudo:auth): authentication failure; logname= uid=2000
> euid=0 tty=/dev/console ruser=test rhost= user=test
>
> I got the above line even before I type the password, but I can use
> the same password to login via SSH, so it's a sudo issue.
>
> What do you think?

More information about the sudo-users mailing list