[sudo-workers] Re: Sudo 1.6.8rc5 Ldap Group lookup

Jacob Pszonowsky jdp16 at mac.com
Tue Aug 10 21:42:28 EDT 2004

Solaris 9 on Sparc with the native ldap libraries.

The ldap query is being built ok - except that one group is being  
duplicated in the search - so it queries for 3 groups - only 2 actual  
group names. The third group that I belong to isn't included.

Here are my group outputs:
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
[cds12118:~] jacobp% groups
cadence1 cvsaccess itadmins
[cds12118:~] jacobp% id
uid=32413(jacobp) gid=1001(cadence1)
[cds12118:~] jacobp% id -a
uid=32413(jacobp) gid=1001(cadence1)  
[cds12118:~] jacobp%

And the results of sudo -l with debugging enabled:
[cds12118:~] jacobp% sudo -l
LDAP Config Summary
port         389
ldap_version 3
uri          (NONE)
sudoers_base ou=Pittsburgh,ou=Sudoers,ou=services,o=cadence.com
binddn       cn=proxyagent,ou=profile,o=cadence.com
bindpw       proxy
ldap_bind() ok
found:cn=defaults, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
ldap sudoOption: 'ignore_local_sudoers'
ldap search  
found:cn=Admins, ou=Pittsburgh, ou=Sudoers, ou=Services, o=cadence.com
ldap sudoHost 'ALL' ... MATCH!
ldap search 'sudoUser=+*'
User jacobp may run the following commands on this host:

LDAP Role: Admins
     !/usr/bin/vi /etc/passwd
     !/usr/bin/vi /etc/shadow
     !/usr/bin/vi /etc/ldap.conf
     !sudoedit /etc/passwd
     !sudoedit /etc/shadow
     !sudoedit /etc/ldap.conf
     !sudoedit /etc/nsswitch.conf
[cds12118:~] jacobp%

Of course now it is working. I wonder if somewhere the group call got  

I'll test some different systems tomorrow and let you know if I see any  


Jacob Pszonowsky

jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918

On Aug 10, 2004, at 6:07 PM, Aaron Spangler wrote:

> Hi Jacob,
> Please let us know what OS & OS Version you are using.  Also, if it is  
> original SysV  or HP-UX then is there anything in /etc/initgroups?
> Sudo does three calls to try to determine your groups.  The first is  
> getgrgid(getgid()) which returns your primary group.  The second is  
> that it calls getgroups(0,NULL) with a to ask how many groups you  
> belong to. (For memory allocation purposes).  Finaly it calls  
> getgroups() with a structure to receive the array of groups you belong  
> to.
> The collection of your username + primary group + all the secondary  
> groups are used to construct an query to send to LDAP.
> Try turning on ldap debugging (add "sudoers_debug 2" to  
> /etc/ldap.conf) to see that the query is being built correctly.
> Hope this all helps, let us know the results of the debugging and the  
> results of the "groups" and "id" and "id -a" commands.  We'll help  
> debug it and make sudo better.
> -Aaron
> Jacob Pszonowsky wrote:
>> Hey guys -
>> I'm having an interesting time trying to figure out how the LDAP  
>> support does the group lookup for a user. Sudo seems to be only  
>> finding 2 of my groups, not my third - even though "groups" reports  
>> all three for me.
>> I'm going to go dig around in the code, but I thought I'd post a  
>> question as to how it's supposed to be working.
>> Thanks,
>> Jake
>> Jacob Pszonowsky
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918

Jacob Pszonowsky

jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918

More information about the sudo-workers mailing list