[sudo-users] LDAP and Sudo on Almalinux 8 not working right

[Bram Mertens]

Another thing to check is whether or not the path to the commands is the
same on both systems. Even though RHEL and Debian both have /sbin and
/usr/sbin they have different defaults for secure_path which changes which
binary is found and executed.
If the "wrong" one is in your sudo configuration it will not match the
rules and thus will prompt for a password.

HTH

Bram

On Tue, Jul 19, 2022 at 7:15 PM Todd C. Miller <Todd.Miller at sudo.ws> wrote:

> On Tue, 19 Jul 2022 12:39:02 -0400, Mark Johanson via sudo-users wrote:
>
> > I inherited an openldap setup of 2.4.38. I am having trouble figuring out
> > why AlmaLinux 8 servers do skip asking for passwords for sudo. Our sudo
> > configuration is setup in our LDAP configuration. The sudoOption
> > !authenticate is setup to allow users with escalated privs to run
> commands.
> > On our Centos 7 servers this works without issues, but on Alma Linux 8
> > those same users are asked for their password. When running sudo -l it
> does
> > show the NOPASSWD for the commands, and then sudo asks the user for the
> > password anyway. Our sudo-ldap.conf file shows the correct information
> for
> > accessing LDAP. The nsswitch.conf does say to check ldap first.
>
> My guess is that there is another rule taking precedence that doesn't
> have authentication disabled.  The output of "sudo -l" should show
> all the user's privileges.  Sudo uses the last match so if there
> is a later rule without the !authenticate sudoOption that would
> explain it.  The order of entries in LDAP is not guaranteed but you
> can force the rule evaluation order using a sudoOrder attribute.
>
>  - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
>