[sudo-workers] Re: Sudo 1.6.8rc5 Ldap Group lookup
Jacob Pszonowsky
jdp16 at mac.com
Tue Aug 10 21:42:28 EDT 2004
Solaris 9 on Sparc with the native ldap libraries.
The ldap query is being built ok - except that one group is being
duplicated in the search - so it queries for 3 groups - only 2 actual
group names. The third group that I belong to isn't included.
Here are my group outputs:
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
[cds12118:~] jacobp% groups
cadence1 cvsaccess itadmins
[cds12118:~] jacobp% id
uid=32413(jacobp) gid=1001(cadence1)
[cds12118:~] jacobp% id -a
uid=32413(jacobp) gid=1001(cadence1)
groups=1001(cadence1),1244(cvsaccess),1333(itadmins)
[cds12118:~] jacobp%
And the results of sudo -l with debugging enabled:
[cds12118:~] jacobp% sudo -l
LDAP Config Summary
===================
host 158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
158.140.143.59
port 389
ldap_version 3
uri (NONE)
sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
binddn cn=proxyagent,ou=profile,o=cadence.com
bindpw proxy
===================
ldap_init(158.140.28.207 158.140.62.11 158.140.32.91 158.140.13.73
158.140.143.59,389)
ldap_bind() ok
found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
ldap sudoOption: 'ignore_local_sudoers'
ldap search
'(|(sudoUser=jacobp)(sudoUser=%cadence1)(sudoUser=%cadence1)(sudoUser=%c
vsaccess)(sudoUser=%itadmins)(sudoUser=ALL))'
found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
ldap sudoHost 'ALL' ... MATCH!
ldap search 'sudoUser=+*'
user_matches=-1
host_matches=-1
sudo_ldap_check(50)=0x02
User jacobp may run the following commands on this host:
LDAP Role: Admins
Commands:
!/usr/bin/vi /etc/passwd
!/usr/bin/vi /etc/shadow
!/usr/bin/vi /etc/ldap.conf
!sudoedit /etc/passwd
!sudoedit /etc/shadow
!sudoedit /etc/ldap.conf
!sudoedit /etc/nsswitch.conf
!/usr/sbin/ldapclient
!/bin/sh
!/bin/bash
!/bin/ksh
!/bin/tcsh
!/bin/csh
!/bin/su
!/grid/common/bin/tcsh
!/grid/common/bin/bash
!/usr/ngnu/bin/tcsh
!/usr/ngnu/bin/bash
!xterm
ALL
[cds12118:~] jacobp%
Of course now it is working. I wonder if somewhere the group call got
cached?
I'll test some different systems tomorrow and let you know if I see any
inconsistancies.
Thanks,
Jake
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
On Aug 10, 2004, at 6:07 PM, Aaron Spangler wrote:
> Hi Jacob,
>
> Please let us know what OS & OS Version you are using. Also, if it is
> original SysV or HP-UX then is there anything in /etc/initgroups?
>
> Sudo does three calls to try to determine your groups. The first is
> getgrgid(getgid()) which returns your primary group. The second is
> that it calls getgroups(0,NULL) with a to ask how many groups you
> belong to. (For memory allocation purposes). Finaly it calls
> getgroups() with a structure to receive the array of groups you belong
> to.
>
> The collection of your username + primary group + all the secondary
> groups are used to construct an query to send to LDAP.
>
> Try turning on ldap debugging (add "sudoers_debug 2" to
> /etc/ldap.conf) to see that the query is being built correctly.
>
> Hope this all helps, let us know the results of the debugging and the
> results of the "groups" and "id" and "id -a" commands. We'll help
> debug it and make sudo better.
>
> -Aaron
>
>
> Jacob Pszonowsky wrote:
>
>> Hey guys -
>>
>> I'm having an interesting time trying to figure out how the LDAP
>> support does the group lookup for a user. Sudo seems to be only
>> finding 2 of my groups, not my third - even though "groups" reports
>> all three for me.
>>
>> I'm going to go dig around in the code, but I thought I'd post a
>> question as to how it's supposed to be working.
>>
>> Thanks,
>> Jake
>>
>> Jacob Pszonowsky
>>
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918
>
>
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
More information about the sudo-workers
mailing list