[sudo-users] LDAP and Sudo on Almalinux 8 not working right
Todd C. Miller
Todd.Miller at sudo.ws
Tue Jul 19 11:15:14 MDT 2022
On Tue, 19 Jul 2022 12:39:02 -0400, Mark Johanson via sudo-users wrote:
> I inherited an openldap setup of 2.4.38. I am having trouble figuring out
> why AlmaLinux 8 servers do skip asking for passwords for sudo. Our sudo
> configuration is setup in our LDAP configuration. The sudoOption
> !authenticate is setup to allow users with escalated privs to run commands.
> On our Centos 7 servers this works without issues, but on Alma Linux 8
> those same users are asked for their password. When running sudo -l it does
> show the NOPASSWD for the commands, and then sudo asks the user for the
> password anyway. Our sudo-ldap.conf file shows the correct information for
> accessing LDAP. The nsswitch.conf does say to check ldap first.
My guess is that there is another rule taking precedence that doesn't
have authentication disabled. The output of "sudo -l" should show
all the user's privileges. Sudo uses the last match so if there
is a later rule without the !authenticate sudoOption that would
explain it. The order of entries in LDAP is not guaranteed but you
can force the rule evaluation order using a sudoOrder attribute.
- todd
More information about the sudo-users
mailing list