[sudo-workers] Re: Sudo 1.6.8rc5 Ldap Group lookup

Aaron Spangler as at insight.rr.com
Tue Aug 10 21:07:22 EDT 2004

Hi Jacob,

Please let us know what OS & OS Version you are using.  Also, if it is 
original SysV  or HP-UX then is there anything in /etc/initgroups?

Sudo does three calls to try to determine your groups.  The first is 
getgrgid(getgid()) which returns your primary group.  The second is that 
it calls getgroups(0,NULL) with a to ask how many groups you belong to. 
(For memory allocation purposes).  Finaly it calls getgroups() with a 
structure to receive the array of groups you belong to.

The collection of your username + primary group + all the secondary 
groups are used to construct an query to send to LDAP.

Try turning on ldap debugging (add "sudoers_debug 2" to /etc/ldap.conf) 
to see that the query is being built correctly.

Hope this all helps, let us know the results of the debugging and the 
results of the "groups" and "id" and "id -a" commands.  We'll help debug 
it and make sudo better.


Jacob Pszonowsky wrote:

> Hey guys -
> I'm having an interesting time trying to figure out how the LDAP 
> support does the group lookup for a user. Sudo seems to be only 
> finding 2 of my groups, not my third - even though "groups" reports 
> all three for me.
> I'm going to go dig around in the code, but I thought I'd post a 
> question as to how it's supposed to be working.
> Thanks,
> Jake
> Jacob Pszonowsky
> jdp16 at mac.com
> (c) 415.225.2647
> (f) 415.358.5918

More information about the sudo-workers mailing list