[sudo-users] AIX sudo - Unable to match host LDAP netgroup.

Wed Mar 30 15:59:47 MDT 2022

Hello,

I have been fighting this for days now, and I know I have to be missing something dumb.

Versions:  AIX 7.2, openldap-2.4.58-2.ppc, sudo-1.9.5p2-1.ppc

If I enter the server name in for the sudoHost it works, but when I attempt to use the netgroup name it will not work.

Here is my sudoer role...
dn: cn=palmerhsrole,ou=sudoers,dc=XXXXXX
objectClass: sudoRole
objectClass: top
cn: palmerhsrole
sudoUser: PalmerHS
sudoHost: +hgrp_test
sudoCommand: /bin/ls

I can resolve the netgroup I want via lsldap...
hiabld1:  # lsldap -a netgroup hgrp_test
dn: cn=hgrp_test,ou=netgroups,dc=XXXXXX
objectClass: nisNetgroup
objectClass: top
cn: hgrp_test
msSFU30Name: hgrp_test
nisNetgroupTriple: (hiabld1,,)
description: Hostgroup - Test

Added the following to /etc/netsvc.conf...

sudoers = files, ldap

Updated my openldap config file with...

TLS_CACERTDIR   /etc/security/ldap/client_certs

TLS_CHECKPEER   no

TLS_REQCERT     never

URI             ldaps://FQDN_ADDRESS

BASE            dc=XXXXXX

BINDDN          CN=saUnixBind,OU=Account,DC=XXXXXX

BINDPW          SECRET

SUDOERS_BASE    ou=sudoers,dc=XXXXXX

NETWORK_TIMEOUT 5

TIMELIMIT       120

SSL             yes

** I have also tried adding:  NETGROUP_BASE  ou=netgroups,dc=XXXXXX  **

I also tried updating /usr/lib/security/methods.cfg and adding the following to the LDAP section...

   options = netgroup

Snippets from sudo debug file....
Mar 30 16:21:55 sudo[3015636] <- sudo_ldap_build_pass1 @ ./ldap.c:1079 := (&(objectClass=sudoRole)(|(sudoUser=PalmerHS)(sudoUser=#610171)(sudoUser=%IT_AIX
_Admin)(sudoUser=%#157329)(sudoUser=ALL)))
Mar 30 16:21:55 sudo[3015636] ldap search '(&(objectClass=sudoRole)(|(sudoUser=PalmerHS)(sudoUser=#610171)(sudoUser=%IT_AIX_Admin)(sudoUser=%#157329)(sudo
User=ALL)))'
Mar 30 16:21:55 sudo[3015636] searching from base 'ou=sudoers,dc=unixldap,dc=ihs,dc=org'
Mar 30 16:21:55 sudo[3015636] adding search result
Mar 30 16:21:55 sudo[3015636] result now has 2 entries
Mar 30 16:21:55 sudo[3015636] <- sudo_ldap_get_first_rdn @ ./ldap.c:384 := palmerhsrole
Mar 30 16:21:55 sudo[3015636] -> hostlist_matches_int @ ./match.c:294
Mar 30 16:21:55 sudo[3015636] -> host_matches @ ./match.c:328
Mar 30 16:21:55 sudo[3015636] -> netgr_matches @ ./match.c:645
Mar 30 16:21:55 sudo[3015636] -> sudo_getdomainname @ ./match.c:590
Mar 30 16:21:55 sudo[3015636] <- sudo_getdomainname @ ./match.c:622 := (null)
Mar 30 16:21:55 sudo[3015636] netgroup hgrp_test matches (hiabld1|hiabld1, , ): false @ netgr_matches() ./match.c:671
Mar 30 16:21:55 sudo[3015636] <- netgr_matches @ ./match.c:674 := false
Mar 30 16:21:55 sudo[3015636] <- host_matches @ ./match.c:360 := -1
Mar 30 16:21:55 sudo[3015636] <- hostlist_matches_int @ ./match.c:301 := -1
Mar 30 16:21:55 sudo[3015636] <- display_priv_short @ ./parse.c:454 := 1

Since the debug does not display the actual search and results for the host netgroup... All I can figure it that either it is not getting the results from LDAP that it needs to do the match check.  I do not know if this is an openldap function or something passed to the OS to return the results of the netgroup.  Could it be that AIX is expecting the msSFU30Name attribute with in the netGroup object that is throwing things?

Thank you,
Hil

This message and accompanying documents are covered by the Electronic Communications Privacy Act, 18 U.S.C. sections 2510-2521, and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.